luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity
open-consul/agent/agent.go

3840 lines
118 KiB
Go
Raw Normal View History

Agent skeleton
2013-12-20 01:14:46 +00:00
package agent
Filling in Agent basics
2013-12-20 23:33:13 +00:00
import (
agent: move http/dns endpoints into agent Move the HTTP and DNS endpoints into the agent and control their lifespan via the agent. This removes the requirement to manage HTTP and DNS servers indpendent of the agent since the agent is mostly useless without an endpoint and the endpoints without the agent.
2017-05-19 09:53:41 +00:00
"context"
agent: refactor DNS and HTTP server * refactor DNS server to be ready for multiple bind addresses * drop tcpKeepAliveListener since it is default for the HTTP servers * add startup timeout watcher for HTTP servers identical to DNS server
2017-05-24 13:22:56 +00:00
"crypto/tls"
agent: first pass at local service and check persistence
2014-11-24 08:36:03 +00:00
"encoding/json"
Filling in Agent basics
2013-12-20 23:33:13 +00:00
"fmt"
Working on the agent
2013-12-21 00:39:32 +00:00
"io"
agent: refactor loadChecks/loadServices, fixes a few minor bugs
2015-06-04 21:33:30 +00:00
"io/ioutil"
Adding support for advertise address
2014-01-01 00:45:13 +00:00
"net"
agent: move http/dns endpoints into agent Move the HTTP and DNS endpoints into the agent and control their lifespan via the agent. This removes the requirement to manage HTTP and DNS servers indpendent of the agent since the agent is mostly useless without an endpoint and the endpoints without the agent.
2017-05-19 09:53:41 +00:00
"net/http"
Working on the agent
2013-12-21 00:39:32 +00:00
"os"
consul: first pass at keyring integration
2014-09-06 00:22:33 +00:00
"path/filepath"
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
"regexp"
agent: Adding Stats() export
2014-02-24 00:42:39 +00:00
"strconv"
Run all known addresses through go-sockaddr/template. The following is now possible: ``` $ consul agent -dev -client="{{GetPrivateIP}}" -bind='{{GetInterfaceIP "en0"}}' ```
2016-12-02 05:35:38 +00:00
"strings"
Working on the agent
2013-12-21 00:39:32 +00:00
"sync"
agent: first stab at persisting check state
2015-06-05 23:17:07 +00:00
"time"
Add expect bootstrap '-expect=n' mode. This allows for us to automatically bootstrap a cluster of nodes after 'n' number of server nodes join. All servers must have the same 'n' set, or they will fail to join the cluster; all servers will not join the peer set until they hit 'n' server nodes. If the raft commit index is not empty, '-expect=n' does nothing because it thinks you've already bootstrapped. Signed-off-by: Robert Xu <robxu9@gmail.com>
2014-06-16 21:36:12 +00:00
config: move NodeName validation to config validation Previsouly it was done in Agent.Start, which is much later then it needs to be. The new 'dns' package was required, because otherwise there would be an import cycle. In the future we should move more of the dns server into the dns package.
2020-08-17 21:24:49 +00:00
"github.com/hashicorp/consul/agent/dns"
agent/token: Move token persistence out of agent And into token.Store. This change isolates any awareness of token persistence in a single place. It is a small step in allowing Agent.New to accept its dependencies.
2020-08-17 23:30:25 +00:00
"github.com/hashicorp/consul/agent/token"
Security fixes (#7182) * Mitigate HTTP/RPC Services Allow Unbounded Resource Usage Fixes #7159. Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: Paul Banks <banks@banksco.de>
2020-01-31 16:19:37 +00:00
"github.com/hashicorp/go-connlimit"
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
"github.com/hashicorp/go-hclog"
Prune Unhealthy Agents (#6571) * Add -prune flag to ForceLeave
2019-10-04 21:10:02 +00:00
"github.com/hashicorp/go-memdb"
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review
2018-10-03 19:37:53 +00:00
"google.golang.org/grpc"
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
"github.com/armon/go-metrics"
acl: consolidate error handling (#3401) The error handling of the ACL code relies on the presence of certain magic error messages. Since the error values are sent via RPC between older and newer consul agents we cannot just replace the magic values with typed errors and switch to type checks since this would break compatibility with older clients. Therefore, this patch moves all magic ACL error messages into the acl package and provides default error values and helper functions which determine the type of error.
2017-08-23 14:52:48 +00:00
"github.com/hashicorp/consul/acl"
agent: decouple anti-entropy from local state The anti-entropy code manages background synchronizations of the local state on a regular basis or on demand when either the state has changed or a new consul server has been added. This patch moves the anti-entropy code into its own package and decouples it from the local state code since they are performing two different functions. To simplify code-review this revision does not make any optimizations, renames or refactorings. This will happen in subsequent commits.
2017-08-28 12:17:09 +00:00
"github.com/hashicorp/consul/agent/ae"
agent: initialize the cache and cache the CA roots
2018-04-11 08:52:51 +00:00
"github.com/hashicorp/consul/agent/cache"
Allow DNS interface to use agent cache (#5300) Adds two new configuration parameters "dns_config.use_cache" and "dns_config.cache_max_age" controlling how DNS requests use the agent cache when querying servers.
2019-02-25 19:06:01 +00:00
cachetype "github.com/hashicorp/consul/agent/cache-types"
Decouple the code that executes checks from the agent
2017-10-25 09:18:07 +00:00
"github.com/hashicorp/consul/agent/checks"
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
"github.com/hashicorp/consul/agent/config"
pkg refactor command/agent/* -> agent/* command/consul/* -> agent/consul/* command/agent/command{,_test}.go -> command/agent{,_test}.go command/base/command.go -> command/base.go command/base/* -> command/* commands.go -> command/commands.go The script which did the refactor is: ( cd $GOPATH/src/github.com/hashicorp/consul git mv command/agent/command.go command/agent.go git mv command/agent/command_test.go command/agent_test.go git mv command/agent/flag_slice_value{,_test}.go command/ git mv command/agent . git mv command/base/command.go command/base.go git mv command/base/config_util{,_test}.go command/ git mv commands.go command/ git mv consul agent rmdir command/base/ gsed -i -e 's|package agent|package command|' command/agent{,_test}.go gsed -i -e 's|package agent|package command|' command/flag_slice_value{,_test}.go gsed -i -e 's|package base|package command|' command/base.go command/config_util{,_test}.go gsed -i -e 's|package main|package command|' command/commands.go gsed -i -e 's|base.Command|BaseCommand|' command/commands.go gsed -i -e 's|agent.Command|AgentCommand|' command/commands.go gsed -i -e 's|\tCommand:|\tBaseCommand:|' command/commands.go gsed -i -e 's|base\.||' command/commands.go gsed -i -e 's|command\.||' command/commands.go gsed -i -e 's|command|c|' main.go gsed -i -e 's|range Commands|range command.Commands|' main.go gsed -i -e 's|Commands: Commands|Commands: command.Commands|' main.go gsed -i -e 's|base\.BoolValue|BoolValue|' command/operator_autopilot_set.go gsed -i -e 's|base\.DurationValue|DurationValue|' command/operator_autopilot_set.go gsed -i -e 's|base\.StringValue|StringValue|' command/operator_autopilot_set.go gsed -i -e 's|base\.UintValue|UintValue|' command/operator_autopilot_set.go gsed -i -e 's|\bCommand\b|BaseCommand|' command/base.go gsed -i -e 's|BaseCommand Options|Command Options|' command/base.go gsed -i -e 's|base.Command|BaseCommand|' command/*.go gsed -i -e 's|c\.Command|c.BaseCommand|g' command/*.go gsed -i -e 's|\tCommand:|\tBaseCommand:|' command/*_test.go gsed -i -e 's|base\.||' command/*_test.go gsed -i -e 's|\bCommand\b|AgentCommand|' command/agent{,_test}.go gsed -i -e 's|cmd.AgentCommand|cmd.BaseCommand|' command/agent.go gsed -i -e 's|cli.AgentCommand = new(Command)|cli.Command = new(AgentCommand)|' command/agent_test.go gsed -i -e 's|exec.AgentCommand|exec.Command|' command/agent_test.go gsed -i -e 's|exec.BaseCommand|exec.Command|' command/agent_test.go gsed -i -e 's|NewTestAgent|agent.NewTestAgent|' command/agent_test.go gsed -i -e 's|= TestConfig|= agent.TestConfig|' command/agent_test.go gsed -i -e 's|: RetryJoin|: agent.RetryJoin|' command/agent_test.go gsed -i -e 's|\.\./\.\./|../|' command/config_util_test.go gsed -i -e 's|\bverifyUniqueListeners|VerifyUniqueListeners|' agent/config{,_test}.go command/agent.go gsed -i -e 's|\bserfLANKeyring\b|SerfLANKeyring|g' agent/{agent,keyring,testagent}.go command/agent.go gsed -i -e 's|\bserfWANKeyring\b|SerfWANKeyring|g' agent/{agent,keyring,testagent}.go command/agent.go gsed -i -e 's|\bNewAgent\b|agent.New|g' command/agent{,_test}.go gsed -i -e 's|\bNewAgent|New|' agent/{acl_test,agent,testagent}.go gsed -i -e 's|\bAgent\b|agent.&|g' command/agent{,_test}.go gsed -i -e 's|\bBool\b|agent.&|g' command/agent{,_test}.go gsed -i -e 's|\bConfig\b|agent.&|g' command/agent{,_test}.go gsed -i -e 's|\bDefaultConfig\b|agent.&|g' command/agent{,_test}.go gsed -i -e 's|\bDevConfig\b|agent.&|g' command/agent{,_test}.go gsed -i -e 's|\bMergeConfig\b|agent.&|g' command/agent{,_test}.go gsed -i -e 's|\bReadConfigPaths\b|agent.&|g' command/agent{,_test}.go gsed -i -e 's|\bParseMetaPair\b|agent.&|g' command/agent{,_test}.go gsed -i -e 's|\bSerfLANKeyring\b|agent.&|g' command/agent{,_test}.go gsed -i -e 's|\bSerfWANKeyring\b|agent.&|g' command/agent{,_test}.go gsed -i -e 's|circonus\.agent|circonus|g' command/agent{,_test}.go gsed -i -e 's|logger\.agent|logger|g' command/agent{,_test}.go gsed -i -e 's|metrics\.agent|metrics|g' command/agent{,_test}.go gsed -i -e 's|// agent.Agent|// agent|' command/agent{,_test}.go gsed -i -e 's|a\.agent\.Config|a.Config|' command/agent{,_test}.go gsed -i -e 's|agent\.AppendSliceValue|AppendSliceValue|' command/{configtest,validate}.go gsed -i -e 's|consul/consul|agent/consul|' GNUmakefile gsed -i -e 's|\.\./test|../../test|' agent/consul/server_test.go # fix imports f=$(grep -rl 'github.com/hashicorp/consul/command/agent' * | grep '\.go') gsed -i -e 's|github.com/hashicorp/consul/command/agent|github.com/hashicorp/consul/agent|' $f goimports -w $f f=$(grep -rl 'github.com/hashicorp/consul/consul' * | grep '\.go') gsed -i -e 's|github.com/hashicorp/consul/consul|github.com/hashicorp/consul/agent/consul|' $f goimports -w $f goimports -w command/*.go main.go )
2017-06-09 22:28:28 +00:00
"github.com/hashicorp/consul/agent/consul"
local state: move to separate package This patch moves the local state to a separate package to further decouple it from the agent code. The code compiles but the tests do not yet.
2017-08-28 12:17:12 +00:00
"github.com/hashicorp/consul/agent/local"
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review
2018-10-03 19:37:53 +00:00
"github.com/hashicorp/consul/agent/proxycfg"
agent: move agent/consul/structs to agent/structs
2017-07-06 10:34:00 +00:00
"github.com/hashicorp/consul/agent/structs"
agent: notify systemd after JoinLAN (#2121) This patch adds support for notifying systemd via the NOTIFY_SOCKET by sending 'READY=1' to the socket after a successful JoinLAN. Fixes #2121
2017-06-21 04:43:55 +00:00
"github.com/hashicorp/consul/agent/systemd"
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review
2018-10-03 19:37:53 +00:00
"github.com/hashicorp/consul/agent/xds"
Remove duplicate constants This patch removes duplicate internal copies of constants in the structs package which are also defined in the api package. The api.KVOp type with all its values for the TXN endpoint and the api.HealthXXX constants are now used throughout the codebase. This resulted in some circular dependencies in the testutil package which have been resolved by copying code and constants and moving the WaitForLeader function into a separate testrpc package.
2017-04-19 23:00:11 +00:00
"github.com/hashicorp/consul/api"
Move the watch package into the api module (#5664) * Move the watch package into the api module It was already just a thin wrapper around the API anyways. The biggest change was to the testing. Instead of using a test agent directly from the agent package it now uses the binary on the PATH just like the other API tests. The other big changes were to fix up the connect based watch tests so that we didn’t need to pull in the connect package (and therefore all of Consul)
2019-04-26 16:33:01 +00:00
"github.com/hashicorp/consul/api/watch"
agent: move isAddrANY to separate package
2017-05-15 20:10:36 +00:00
"github.com/hashicorp/consul/ipaddr"
Factor out duplicate functions into a lib package Consolidate code duplication and tests into a single lib package. Most of these functions were from various **/util.go functions that couldn't be imported due to cyclic imports. The consul/lib package is intended to be a terminal node in an import DAG and a place to stash various consul-only helper functions. Pulled in hashicorp/go-uuid instead of consolidating UUID access.
2016-01-29 19:42:34 +00:00
"github.com/hashicorp/consul/lib"
agent/proxy: write pid file whenever the daemon process changes
2018-05-03 20:56:42 +00:00
"github.com/hashicorp/consul/lib/file"
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
"github.com/hashicorp/consul/logging"
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
"github.com/hashicorp/consul/tlsutil"
Revert "Move `structs.CheckID` to a new top-level package, `types`." This reverts commit 2bbd52e3b44ff1b60939a8400264d534662d6d51.
2016-06-06 20:19:31 +00:00
"github.com/hashicorp/consul/types"
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
"github.com/hashicorp/go-multierror"
Add state store table and endpoints for autopilot
2017-02-24 04:32:13 +00:00
"github.com/hashicorp/raft"
Add expect bootstrap '-expect=n' mode. This allows for us to automatically bootstrap a cluster of nodes after 'n' number of server nodes join. All servers must have the same 'n' set, or they will fail to join the cluster; all servers will not join the peer set until they hit 'n' server nodes. If the raft commit index is not empty, '-expect=n' does nothing because it thinks you've already bootstrapped. Signed-off-by: Robert Xu <robxu9@gmail.com>
2014-06-16 21:36:12 +00:00
"github.com/hashicorp/serf/serf"
Adds HTTP/2 support to Consul's HTTPS server. (#3657) * Refactors the HTTP listen path to create servers in the same spot. * Adds HTTP/2 support to Consul's HTTPS server. * Vendors Go HTTP/2 library and associated deps.
2017-11-07 23:06:59 +00:00
"golang.org/x/net/http2"
Filling in Agent basics
2013-12-20 23:33:13 +00:00
)
agent: first pass at local service and check persistence
2014-11-24 08:36:03 +00:00
const (
// Path to save agent service definitions
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
servicesDir = "services"
serviceConfigDir = "services/configs"
agent: first pass at local service and check persistence
2014-11-24 08:36:03 +00:00
Persist proxy state through agent restart
2018-05-14 20:55:24 +00:00
// Path to save agent proxy definitions
proxyDir = "proxies"
agent: first pass at local service and check persistence
2014-11-24 08:36:03 +00:00
// Path to save local agent checks
agent: first stab at persisting check state
2015-06-05 23:17:07 +00:00
checksDir = "checks"
checkStateDir = "checks/state"
agent: error if binding to existing socket file
2015-01-16 20:39:15 +00:00
agent: use const for default maintenance reason strings
2015-01-21 22:45:09 +00:00
// Default reasons for node/service maintenance mode
defaultNodeMaintReason = "Maintenance mode is enabled for this node, " +
"but no reason was provided. This is a default message."
defaultServiceMaintReason = "Maintenance mode is enabled for this " +
"service, but no reason was provided. This is a default message."
tls: auto_encrypt enables automatic RPC cert provisioning for consul clients (#5597)
2019-06-27 20:22:07 +00:00
// ID of the roots watch
rootsWatchID = "roots"
// ID of the leaf watch
leafWatchID = "leaf"
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
// maxQueryTime is used to bound the limit of a blocking query
maxQueryTime = 600 * time.Second
// defaultQueryTime is the amount of time we block waiting for a change
// if no time is specified. Previously we would wait the maxQueryTime.
defaultQueryTime = 300 * time.Second
)
var (
httpAddrRE = regexp.MustCompile(`^(http[s]?://)(\[.*?\]|\[?[\w\-\.]+)(:\d+)?([^?]*)(\?.*)?$`)
grpcAddrRE = regexp.MustCompile("(.*)((?::)(?:[0-9]+))(.*)$")
agent: first pass at local service and check persistence
2014-11-24 08:36:03 +00:00
)
[Security] Add finer control over script checks (#4715) * Add -enable-local-script-checks options These options allow for a finer control over when script checks are enabled by giving the option to only allow them when they are declared from the local file system. * Add documentation for the new option * Nitpick doc wording
2018-10-11 12:22:11 +00:00
type configSource int
const (
ConfigSourceLocal configSource = iota
ConfigSourceRemote
)
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
var configSourceToName = map[configSource]string{
ConfigSourceLocal: "local",
ConfigSourceRemote: "remote",
}
var configSourceFromName = map[string]configSource{
"local": ConfigSourceLocal,
"remote": ConfigSourceRemote,
// If the value is not found in the persisted config file, then use the
// former default.
"": ConfigSourceLocal,
}
func (s configSource) String() string {
return configSourceToName[s]
}
// ConfigSourceFromName will unmarshal the string form of a configSource.
func ConfigSourceFromName(name string) (configSource, bool) {
s, ok := configSourceFromName[name]
return s, ok
}
agent: rename clientServer interface to delegate
2017-06-15 09:42:07 +00:00
// delegate defines the interface shared by both
agent: Replace client/server with delegate interface This patch adds a new internal interface clientServer which defines the common methods of consul.Client and consul.Server. This allows to replace the following code if a.server != nil { a.server.do() } else { a.client.do() } with a.delegate.do() In case a specific type is required a type check can be performed: if srv, ok := a.delegate.(*consul.Server); ok { srv.doSrv() }
2017-05-15 14:05:17 +00:00
// consul.Client and consul.Server.
agent: rename clientServer interface to delegate
2017-06-15 09:42:07 +00:00
type delegate interface {
Adds open source side of network segments (feature is Enterprise-only).
2017-08-14 14:36:07 +00:00
GetLANCoordinate() (lib.CoordinateSet, error)
agent: Replace client/server with delegate interface This patch adds a new internal interface clientServer which defines the common methods of consul.Client and consul.Server. This allows to replace the following code if a.server != nil { a.server.do() } else { a.client.do() } with a.delegate.do() In case a specific type is required a type check can be performed: if srv, ok := a.delegate.(*consul.Server); ok { srv.doSrv() }
2017-05-15 14:05:17 +00:00
Leave() error
LANMembers() []serf.Member
Makes the all segments query explict, and the default for `consul members`.
2017-09-05 19:22:20 +00:00
LANMembersAllSegments() ([]serf.Member, error)
Fix some inconsistencies with segment logic and comments
2017-08-30 23:44:04 +00:00
LANSegmentMembers(segment string) ([]serf.Member, error)
agent: Replace client/server with delegate interface This patch adds a new internal interface clientServer which defines the common methods of consul.Client and consul.Server. This allows to replace the following code if a.server != nil { a.server.do() } else { a.client.do() } with a.delegate.do() In case a specific type is required a type check can be performed: if srv, ok := a.delegate.(*consul.Server); ok { srv.doSrv() }
2017-05-15 14:05:17 +00:00
LocalMember() serf.Member
JoinLAN(addrs []string) (n int, err error)
Prune Unhealthy Agents (#6571) * Add -prune flag to ForceLeave
2019-10-04 21:10:02 +00:00
RemoveFailedNode(node string, prune bool) error
New ACLs (#4791) This PR is almost a complete rewrite of the ACL system within Consul. It brings the features more in line with other HashiCorp products. Obviously there is quite a bit left to do here but most of it is related docs, testing and finishing the last few commands in the CLI. I will update the PR description and check off the todos as I finish them over the next few days/week. Description At a high level this PR is mainly to split ACL tokens from Policies and to split the concepts of Authorization from Identities. A lot of this PR is mostly just to support CRUD operations on ACLTokens and ACLPolicies. These in and of themselves are not particularly interesting. The bigger conceptual changes are in how tokens get resolved, how backwards compatibility is handled and the separation of policy from identity which could lead the way to allowing for alternative identity providers. On the surface and with a new cluster the ACL system will look very similar to that of Nomads. Both have tokens and policies. Both have local tokens. The ACL management APIs for both are very similar. I even ripped off Nomad's ACL bootstrap resetting procedure. There are a few key differences though. Nomad requires token and policy replication where Consul only requires policy replication with token replication being opt-in. In Consul local tokens only work with token replication being enabled though. All policies in Nomad are globally applicable. In Consul all policies are stored and replicated globally but can be scoped to a subset of the datacenters. This allows for more granular access management. Unlike Nomad, Consul has legacy baggage in the form of the original ACL system. The ramifications of this are: A server running the new system must still support other clients using the legacy system. A client running the new system must be able to use the legacy RPCs when the servers in its datacenter are running the legacy system. The primary ACL DC's servers running in legacy mode needs to be a gate that keeps everything else in the entire multi-DC cluster running in legacy mode. So not only does this PR implement the new ACL system but has a legacy mode built in for when the cluster isn't ready for new ACLs. Also detecting that new ACLs can be used is automatic and requires no configuration on the part of administrators. This process is detailed more in the "Transitioning from Legacy to New ACL Mode" section below.
2018-10-19 16:04:07 +00:00
ResolveToken(secretID string) (acl.Authorizer, error)
Fix identity resolution on clients and in secondary dcs (#7862) Previously this happened to be using the method on the Server/Client that was meant to allow the ACLResolver to locally resolve tokens. On Servers that had tokens (primary or secondary dc + token replication) this function would lookup the token from raft and return the ACLIdentity. On clients this was always a noop. We inadvertently used this function instead of creating a new one when we added logging accessor ids for permission denied RPC requests. With this commit, a new method is used for resolving the identity properly via the ACLResolver which may still resolve locally in the case of being on a server with tokens but also supports remote token resolution.
2020-05-13 17:00:08 +00:00
ResolveTokenToIdentity(secretID string) (structs.ACLIdentity, error)
OSS changes for implementing token based namespace inferencing remove debug log
2019-12-18 18:46:53 +00:00
ResolveTokenAndDefaultMeta(secretID string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (acl.Authorizer, error)
agent: Replace client/server with delegate interface This patch adds a new internal interface clientServer which defines the common methods of consul.Client and consul.Server. This allows to replace the following code if a.server != nil { a.server.do() } else { a.client.do() } with a.delegate.do() In case a specific type is required a type check can be performed: if srv, ok := a.delegate.(*consul.Server); ok { srv.doSrv() }
2017-05-15 14:05:17 +00:00
RPC(method string, args interface{}, reply interface{}) error
New ACLs (#4791) This PR is almost a complete rewrite of the ACL system within Consul. It brings the features more in line with other HashiCorp products. Obviously there is quite a bit left to do here but most of it is related docs, testing and finishing the last few commands in the CLI. I will update the PR description and check off the todos as I finish them over the next few days/week. Description At a high level this PR is mainly to split ACL tokens from Policies and to split the concepts of Authorization from Identities. A lot of this PR is mostly just to support CRUD operations on ACLTokens and ACLPolicies. These in and of themselves are not particularly interesting. The bigger conceptual changes are in how tokens get resolved, how backwards compatibility is handled and the separation of policy from identity which could lead the way to allowing for alternative identity providers. On the surface and with a new cluster the ACL system will look very similar to that of Nomads. Both have tokens and policies. Both have local tokens. The ACL management APIs for both are very similar. I even ripped off Nomad's ACL bootstrap resetting procedure. There are a few key differences though. Nomad requires token and policy replication where Consul only requires policy replication with token replication being opt-in. In Consul local tokens only work with token replication being enabled though. All policies in Nomad are globally applicable. In Consul all policies are stored and replicated globally but can be scoped to a subset of the datacenters. This allows for more granular access management. Unlike Nomad, Consul has legacy baggage in the form of the original ACL system. The ramifications of this are: A server running the new system must still support other clients using the legacy system. A client running the new system must be able to use the legacy RPCs when the servers in its datacenter are running the legacy system. The primary ACL DC's servers running in legacy mode needs to be a gate that keeps everything else in the entire multi-DC cluster running in legacy mode. So not only does this PR implement the new ACL system but has a legacy mode built in for when the cluster isn't ready for new ACLs. Also detecting that new ACLs can be used is automatic and requires no configuration on the part of administrators. This process is detailed more in the "Transitioning from Legacy to New ACL Mode" section below.
2018-10-19 16:04:07 +00:00
UseLegacyACLs() bool
agent: move the SnapshotReplyFn out of the way When splitting up the consul package into server and client the SnapshotReplyFn needs to be in a separate package to avoid a circular dependency.
2017-06-15 09:50:28 +00:00
SnapshotRPC(args *structs.SnapshotRequest, in io.Reader, out io.Writer, replyFn structs.SnapshotReplyFn) error
agent: Replace client/server with delegate interface This patch adds a new internal interface clientServer which defines the common methods of consul.Client and consul.Server. This allows to replace the following code if a.server != nil { a.server.do() } else { a.client.do() } with a.delegate.do() In case a specific type is required a type check can be performed: if srv, ok := a.delegate.(*consul.Server); ok { srv.doSrv() }
2017-05-15 14:05:17 +00:00
Shutdown() error
Stats() map[string]map[string]string
Apply the limits to the clients rpcLimiter
2018-06-11 19:51:17 +00:00
ReloadConfig(config *consul.Config) error
Allow for easy enterprise/oss coexistence Uses struct/interface embedding with the embedded structs/interfaces being empty for oss. Also methods on the server/client types are defaulted to do nothing for OSS
2018-05-24 14:36:42 +00:00
enterpriseDelegate
agent: Replace client/server with delegate interface This patch adds a new internal interface clientServer which defines the common methods of consul.Client and consul.Server. This allows to replace the following code if a.server != nil { a.server.do() } else { a.client.do() } with a.delegate.do() In case a specific type is required a type check can be performed: if srv, ok := a.delegate.(*consul.Server); ok { srv.doSrv() }
2017-05-15 14:05:17 +00:00
}
agent: Warn on dns-incompatible characters during service registration. Fixes #683.
2015-02-09 17:22:51 +00:00
agent: notify systemd after JoinLAN (#2121) This patch adds support for notifying systemd via the NOTIFY_SOCKET by sending 'READY=1' to the socket after a successful JoinLAN. Fixes #2121
2017-06-21 04:43:55 +00:00
// notifier is called after a successful JoinLAN.
type notifier interface {
Notify(string) error
}
Add accessorID of token when ops are denied by ACL system (#7117) * agent: add and edit doc comments * agent: add ACL token accessorID to debugging traces * agent: polish acl debugging * agent: minor fix + string fmt over value interp * agent: undo export & fix logging field names * agent: remove note and migrate up to code review * Update agent/consul/acl.go Co-Authored-By: Matt Keeler <mkeeler@users.noreply.github.com> * agent: incorporate review feedback * Update agent/acl.go Co-Authored-By: R.B. Boyer <public@richardboyer.net> Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: R.B. Boyer <public@richardboyer.net>
2020-01-27 19:54:32 +00:00
// Agent is the long running process that is run on every machine.
agent: Replace client/server with delegate interface This patch adds a new internal interface clientServer which defines the common methods of consul.Client and consul.Server. This allows to replace the following code if a.server != nil { a.server.do() } else { a.client.do() } with a.delegate.do() In case a specific type is required a type check can be performed: if srv, ok := a.delegate.(*consul.Server); ok { srv.doSrv() }
2017-05-15 14:05:17 +00:00
// It exposes an RPC interface that is used by the CLI to control the
// agent. The agent runs the query interfaces like HTTP, DNS, and RPC.
// However, it can run in either a client, or server mode. In server
// mode, it runs a full Consul server. In client-only mode, it only forwards
// requests to other Consul servers.
Agent skeleton
2013-12-20 01:14:46 +00:00
type Agent struct {
agent/consul: pass dependencies directly from agent In an upcoming change we will need to pass a grpc.ClientConnPool from BaseDeps into Server. While looking at that change I noticed all of the existing consulOption fields are already on BaseDeps. Instead of duplicating the fields, we can create a struct used by agent/consul, and use that struct in BaseDeps. This allows us to pass along dependencies without translating them into different representations. I also looked at moving all of BaseDeps in agent/consul, however that created some circular imports. Resolving those cycles wouldn't be too bad (it was only an error in agent/consul being imported from cache-types), however this change seems a little better by starting to introduce some structure to BaseDeps. This change is also a small step in reducing the scope of Agent. Also remove some constants that were only used by tests, and move the relevant comment to where the live configuration is set. Removed some validation from NewServer and NewClient, as these are not really runtime errors. They would be code errors, which will cause a panic anyway, so no reason to handle them specially here.
2020-09-14 22:31:07 +00:00
// TODO: remove fields that are already in BaseDeps
baseDeps BaseDeps
Implement Client Agent Auto Config There are a couple of things in here. First, just like auto encrypt, any Cluster.AutoConfig RPC will implicitly use the less secure RPC mechanism. This drastically modifies how the Consul Agent starts up and moves most of the responsibilities (other than signal handling) from the cli command and into the Agent.
2020-06-10 20:47:35 +00:00
agent: fix logging * use agent logger for consul/serf/raft/dns/agent/... * support optional id for concurrent tests
2017-05-23 17:04:06 +00:00
// config is the agent configuration.
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
config *config.RuntimeConfig
Filling in Agent basics
2013-12-20 23:33:13 +00:00
Working on the agent
2013-12-21 00:39:32 +00:00
// Used for writing our logs
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
logger hclog.InterceptLogger
Working on the agent
2013-12-21 00:39:32 +00:00
agent: Replace client/server with delegate interface This patch adds a new internal interface clientServer which defines the common methods of consul.Client and consul.Server. This allows to replace the following code if a.server != nil { a.server.do() } else { a.client.do() } with a.delegate.do() In case a specific type is required a type check can be performed: if srv, ok := a.delegate.(*consul.Server); ok { srv.doSrv() }
2017-05-15 14:05:17 +00:00
// delegate is either a *consul.Server or *consul.Client
// depending on the configuration
agent: rename clientServer interface to delegate
2017-06-15 09:42:07 +00:00
delegate delegate
Working on the agent
2013-12-21 00:39:32 +00:00
New ACLs (#4791) This PR is almost a complete rewrite of the ACL system within Consul. It brings the features more in line with other HashiCorp products. Obviously there is quite a bit left to do here but most of it is related docs, testing and finishing the last few commands in the CLI. I will update the PR description and check off the todos as I finish them over the next few days/week. Description At a high level this PR is mainly to split ACL tokens from Policies and to split the concepts of Authorization from Identities. A lot of this PR is mostly just to support CRUD operations on ACLTokens and ACLPolicies. These in and of themselves are not particularly interesting. The bigger conceptual changes are in how tokens get resolved, how backwards compatibility is handled and the separation of policy from identity which could lead the way to allowing for alternative identity providers. On the surface and with a new cluster the ACL system will look very similar to that of Nomads. Both have tokens and policies. Both have local tokens. The ACL management APIs for both are very similar. I even ripped off Nomad's ACL bootstrap resetting procedure. There are a few key differences though. Nomad requires token and policy replication where Consul only requires policy replication with token replication being opt-in. In Consul local tokens only work with token replication being enabled though. All policies in Nomad are globally applicable. In Consul all policies are stored and replicated globally but can be scoped to a subset of the datacenters. This allows for more granular access management. Unlike Nomad, Consul has legacy baggage in the form of the original ACL system. The ramifications of this are: A server running the new system must still support other clients using the legacy system. A client running the new system must be able to use the legacy RPCs when the servers in its datacenter are running the legacy system. The primary ACL DC's servers running in legacy mode needs to be a gate that keeps everything else in the entire multi-DC cluster running in legacy mode. So not only does this PR implement the new ACL system but has a legacy mode built in for when the cluster isn't ready for new ACLs. Also detecting that new ACLs can be used is automatic and requires no configuration on the part of administrators. This process is detailed more in the "Transitioning from Legacy to New ACL Mode" section below.
2018-10-19 16:04:07 +00:00
// aclMasterAuthorizer is an object that helps manage local ACL enforcement.
aclMasterAuthorizer acl.Authorizer
Adds ACL management support to the agent.
2016-12-14 07:21:14 +00:00
First pass at local state + anti-entropy
2014-01-16 01:14:50 +00:00
// state stores a local representation of the node,
// services and checks. Used for anti-entropy.
local state: tests compile
2017-08-28 12:17:13 +00:00
State *local.State
Adding CheckMonitors and CheckTTLs to agent
2014-01-21 20:05:56 +00:00
agent: decouple anti-entropy from local state The anti-entropy code manages background synchronizations of the local state on a regular basis or on demand when either the state has changed or a new consul server has been added. This patch moves the anti-entropy code into its own package and decouples it from the local state code since they are performing two different functions. To simplify code-review this revision does not make any optimizations, renames or refactorings. This will happen in subsequent commits.
2017-08-28 12:17:09 +00:00
// sync manages the synchronization of the local
// and the remote state.
sync *ae.StateSyncer
Add -sidecar-for and new /agent/service/:service_id endpoint (#4691) - A new endpoint `/v1/agent/service/:service_id` which is a generic way to look up the service for a single instance. The primary value here is that it: - **supports hash-based blocking** and so; - **replaces `/agent/connect/proxy/:proxy_id`** as the mechanism the built-in proxy uses to read its config. - It's not proxy specific and so works for any service. - It has a temporary shim to call through to the existing endpoint to preserve current managed proxy config defaulting behaviour until that is removed entirely (tested). - The built-in proxy now uses the new endpoint exclusively for it's config - The built-in proxy now has a `-sidecar-for` flag that allows the service ID of the _target_ service to be specified, on the condition that there is exactly one "sidecar" proxy (that is one that has `Proxy.DestinationServiceID` set) for the service registered. - Several fixes for edge cases for SidecarService - A fix for `Alias` checks - when running locally they didn't update their state until some external thing updated the target. If the target service has no checks registered as below, then the alias never made it past critical.
2018-09-27 14:00:51 +00:00
// syncMu and syncCh are used to coordinate agent endpoints that are blocking
// on local state during a config reload.
syncMu sync.Mutex
syncCh chan struct{}
agent: initialize the cache and cache the CA roots
2018-04-11 08:52:51 +00:00
// cache is the in-memory cache for data the Agent requests.
cache *cache.Cache
Adds ability to deregister a service based on critical check state longer than a timeout.
2016-08-16 07:05:55 +00:00
// checkReapAfter maps the check ID to a timeout after which we should
// reap its associated service
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
checkReapAfter map[structs.CheckID]time.Duration
Adds ability to deregister a service based on critical check state longer than a timeout.
2016-08-16 07:05:55 +00:00
Adding CheckMonitors and CheckTTLs to agent
2014-01-21 20:05:56 +00:00
// checkMonitors maps the check ID to an associated monitor
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
checkMonitors map[structs.CheckID]*checks.CheckMonitor
command/agent: Add simple HTTP check type These checks make an `HTTP GET` request every Interval to the specified URL. The status of the service depends on the HTTP Response Code. `200` is passing, `503` is warning and anything else is failing.
2015-01-09 22:43:24 +00:00
// checkHTTPs maps the check ID to an associated HTTP check
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
checkHTTPs map[structs.CheckID]*checks.CheckHTTP
command/agent: Add simple HTTP check type These checks make an `HTTP GET` request every Interval to the specified URL. The status of the service depends on the HTTP Response Code. `200` is passing, `503` is warning and anything else is failing.
2015-01-09 22:43:24 +00:00
Add TCP check type Adds the ability to simply check whether a TCP socket accepts connections to determine if it is healthy. This is a light-weight - though less comprehensive than scripting - method of checking network service health. The check parameter `tcp` should be set to the `address:port` combination for the service to be tested. Supports both IPv6 and IPv4, in the case of a hostname that resolves to both, connections will be attempted via both protocol versions, with the first successful connection returning a successful check result. Example check: ```json { "check": { "id": "ssh", "name": "SSH (TCP)", "tcp": "example.com:22", "interval": "10s" } } ```
2015-07-23 11:45:08 +00:00
// checkTCPs maps the check ID to an associated TCP check
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
checkTCPs map[structs.CheckID]*checks.CheckTCP
Add TCP check type Adds the ability to simply check whether a TCP socket accepts connections to determine if it is healthy. This is a light-weight - though less comprehensive than scripting - method of checking network service health. The check parameter `tcp` should be set to the `address:port` combination for the service to be tested. Supports both IPv6 and IPv4, in the case of a hostname that resolves to both, connections will be attempted via both protocol versions, with the first successful connection returning a successful check result. Example check: ```json { "check": { "id": "ssh", "name": "SSH (TCP)", "tcp": "example.com:22", "interval": "10s" } } ```
2015-07-23 11:45:08 +00:00
Add gRPC health-check #3073
2017-12-27 04:35:22 +00:00
// checkGRPCs maps the check ID to an associated GRPC check
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
checkGRPCs map[structs.CheckID]*checks.CheckGRPC
Add gRPC health-check #3073
2017-12-27 04:35:22 +00:00
command/agent: Add simple HTTP check type These checks make an `HTTP GET` request every Interval to the specified URL. The status of the service depends on the HTTP Response Code. `200` is passing, `503` is warning and anything else is failing.
2015-01-09 22:43:24 +00:00
// checkTTLs maps the check ID to an associated check TTL
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
checkTTLs map[structs.CheckID]*checks.CheckTTL
command/agent: Add simple HTTP check type These checks make an `HTTP GET` request every Interval to the specified URL. The status of the service depends on the HTTP Response Code. `200` is passing, `503` is warning and anything else is failing.
2015-01-09 22:43:24 +00:00
Implemented Docker health checks
2015-10-22 22:29:13 +00:00
// checkDockers maps the check ID to an associated Docker Exec based check
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
checkDockers map[structs.CheckID]*checks.CheckDocker
Implemented Docker health checks
2015-10-22 22:29:13 +00:00
agent: run alias checks
2018-06-30 13:38:56 +00:00
// checkAliases maps the check ID to an associated Alias checks
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
checkAliases map[structs.CheckID]*checks.CheckAlias
agent: run alias checks
2018-06-30 13:38:56 +00:00
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
// exposedPorts tracks listener ports for checks exposed through a proxy
exposedPorts map[string]int
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
// stateLock protects the agent state
stateLock sync.Mutex
Adding CheckMonitors and CheckTTLs to agent
2014-01-21 20:05:56 +00:00
agent: replace docker check This patch replaces the Docker client which is used for health checks with a simplified version tailored for that purpose. See #3254 See #3257 Fixes #3270
2017-07-12 14:01:42 +00:00
// dockerClient is the client for performing docker health checks.
Decouple the code that executes checks from the agent
2017-10-25 09:18:07 +00:00
dockerClient *checks.DockerClient
agent: replace docker check This patch replaces the Docker client which is used for health checks with a simplified version tailored for that purpose. See #3254 See #3257 Fixes #3270
2017-07-12 14:01:42 +00:00
agent: working on user events
2014-08-27 23:49:12 +00:00
// eventCh is used to receive user events
eventCh chan serf.UserEvent
agent: Adding event ingestion
2014-08-28 00:01:10 +00:00
// eventBuf stores the most recent events in a ring buffer
// using eventIndex as the next index to insert into. This
// is guarded by eventLock. When an insert happens, the
// eventNotify group is notified.
agent: remove userEventEnc type
2014-08-28 17:56:30 +00:00
eventBuf []*UserEvent
agent: Adding event ingestion
2014-08-28 00:01:10 +00:00
eventIndex int
eventLock sync.RWMutex
agent: move NotifyGroup into the agent pkg
2017-06-15 16:45:30 +00:00
eventNotify NotifyGroup
agent: Adding event ingestion
2014-08-28 00:01:10 +00:00
Adding CheckMonitors and CheckTTLs to agent
2014-01-21 20:05:56 +00:00
shutdown bool
shutdownCh chan struct{}
shutdownLock sync.Mutex
Adds a slightly more flexible mock system so we can test DNS.
2015-11-12 17:19:33 +00:00
agent: notify systemd after JoinLAN (#2121) This patch adds support for notifying systemd via the NOTIFY_SOCKET by sending 'READY=1' to the socket after a successful JoinLAN. Fixes #2121
2017-06-21 04:43:55 +00:00
// joinLANNotifier is called after a successful JoinLAN.
joinLANNotifier notifier
agent: move retry join into agent
2017-06-02 09:55:29 +00:00
// retryJoinCh transports errors from the retry join
// attempts.
retryJoinCh chan error
agent: make the RPC endpoint overwrite mechanism more transparent This patch hides the RPC handler overwrite mechanism from the rest of the code so that it works in all cases and that there is no cooperation required from the tested code, i.e. we can drop a.getEndpoint().
2017-06-16 07:54:09 +00:00
// endpoints maps unique RPC endpoint names to common ones
// to allow overriding of RPC handlers since the golang
// net/rpc server does not allow this.
test: fix data race with endpoints
2017-05-22 22:00:14 +00:00
endpoints map[string]string
endpointsLock sync.RWMutex
agent: move http/dns endpoints into agent Move the HTTP and DNS endpoints into the agent and control their lifespan via the agent. This removes the requirement to manage HTTP and DNS servers indpendent of the agent since the agent is mostly useless without an endpoint and the endpoints without the agent.
2017-05-19 09:53:41 +00:00
// dnsServer provides the DNS API
dnsServers []*DNSServer
agent: add apiServers type for managing HTTP servers Remove Server field from HTTPServer. The field is no longer used.
2020-07-02 17:31:47 +00:00
// apiServers listening for connections. If any of these server goroutines
// fail, the agent will be shutdown.
apiServers *apiServers
agent: move http/dns endpoints into agent Move the HTTP and DNS endpoints into the agent and control their lifespan via the agent. This removes the requirement to manage HTTP and DNS servers indpendent of the agent since the agent is mostly useless without an endpoint and the endpoints without the agent.
2017-05-19 09:53:41 +00:00
// wgServers is the wait group for all HTTP and DNS servers
agent: add apiServers type for managing HTTP servers Remove Server field from HTTPServer. The field is no longer used.
2020-07-02 17:31:47 +00:00
// TODO: remove once dnsServers are handled by apiServers
agent: move http/dns endpoints into agent Move the HTTP and DNS endpoints into the agent and control their lifespan via the agent. This removes the requirement to manage HTTP and DNS servers indpendent of the agent since the agent is mostly useless without an endpoint and the endpoints without the agent.
2017-05-19 09:53:41 +00:00
wgServers sync.WaitGroup
Fixes watch tracking during reloads and fixes address issue. (#3189) This patch fixes watch registration through the config file and a broken log line when the watch registration fails. It also plumbs all the watch loading through a common function and tweaks the unit test to create the watch before the reload.
2017-06-24 19:52:41 +00:00
// watchPlans tracks all the currently-running watch plans for the
// agent.
watchPlans []*watch.Plan
Adds support for agent-side ACL token management via API instead of config files. (#3324) * Adds token store and removes all runtime use of config for ACL tokens. * Adds a new API for changing agent tokens on the fly.
2017-07-26 18:03:43 +00:00
// tokens holds ACL tokens initially from the configuration, but can
// be updated at runtime, so should always be used instead of going to
// the configuration directly.
tokens *token.Store
agent: start proxy manager
2018-05-02 18:38:18 +00:00
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review
2018-10-03 19:37:53 +00:00
// proxyConfig is the manager for proxy service (Kind = connect-proxy)
// configuration state. This ensures all state needed by a proxy registration
// is maintained in cache and handles pushing updates to that state into XDS
connect: remove managed proxies (#6220) * connect: remove managed proxies implementation and all supporting config options and structs * connect: remove deprecated ProxyDestination * command: remove CONNECT_PROXY_TOKEN env var * agent: remove entire proxyprocess proxy manager * test: remove all managed proxy tests * test: remove irrelevant managed proxy note from TestService_ServerTLSConfig * test: update ContentHash to reflect managed proxy removal * test: remove deprecated ProxyDestination test * telemetry: remove managed proxy note * http: remove /v1/agent/connect/proxy endpoint * ci: remove deprecated test exclusion * website: update managed proxies deprecation page to note removal * website: remove managed proxy configuration API docs * website: remove managed proxy note from built-in proxy config * website: add note on removing proxy subdirectory of data_dir
2019-08-09 19:19:30 +00:00
// server to be pushed out to Envoy.
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review
2018-10-03 19:37:53 +00:00
proxyConfig *proxycfg.Manager
Fix a race in the ready logic
2019-04-24 13:46:30 +00:00
// serviceManager is the manager for combining local service registrations with
// the centrally configured proxy/service defaults.
Add the service registration manager to the agent
2019-04-18 04:35:19 +00:00
serviceManager *ServiceManager
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review
2018-10-03 19:37:53 +00:00
// grpcServer is the server instance used currently to serve xDS API for
// Envoy.
grpcServer *grpc.Server
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
Centralise tls configuration part 2 (#5374) This PR is based on #5366 and continues to centralise the tls configuration in order to be reloadable eventually! This PR is another refactoring. No tests are changed, beyond calling other functions or cosmetic stuff. I added a bunch of tests, even though they might be redundant.
2019-02-27 09:14:59 +00:00
// tlsConfigurator is the central instance to provide a *tls.Config
// based on the current consul configuration.
Centralise tls configuration part 1 (#5366) In order to be able to reload the TLS configuration, we need one way to generate the different configurations. This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`. This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 15:52:07 +00:00
tlsConfigurator *tlsutil.Configurator
ACL Token Persistence and Reloading (#5328) This PR adds two features which will be useful for operators when ACLs are in use. 1. Tokens set in configuration files are now reloadable. 2. If `acl.enable_token_persistence` is set to `true` in the configuration, tokens set via the `v1/agent/token` endpoint are now persisted to disk and loaded when the agent starts (or during configuration reload) Note that token persistence is opt-in so our users who do not want tokens on the local disk will see no change. Some other secondary changes: * Refactored a bunch of places where the replication token is retrieved from the token store. This token isn't just for replicating ACLs and now it is named accordingly. * Allowed better paths in the `v1/agent/token/` API. Instead of paths like: `v1/agent/token/acl_replication_token` the path can now be just `v1/agent/token/replication`. The old paths remain to be valid. * Added a couple new API functions to set tokens via the new paths. Deprecated the old ones and pointed to the new names. The names are also generally better and don't imply that what you are setting is for ACLs but rather are setting ACL tokens. There is a minor semantic difference there especially for the replication token as again, its no longer used only for ACL token/policy replication. The new functions will detect 404s and fallback to using the older token paths when talking to pre-1.4.3 agents. * Docs updated to reflect the API additions and to show using the new endpoints. * Updated the ACL CLI set-agent-tokens command to use the non-deprecated APIs.
2019-02-27 19:28:31 +00:00
Security fixes (#7182) * Mitigate HTTP/RPC Services Allow Unbounded Resource Usage Fixes #7159. Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: Paul Banks <banks@banksco.de>
2020-01-31 16:19:37 +00:00
// httpConnLimiter is used to limit connections to the HTTP server by client
// IP.
httpConnLimiter connlimit.Limiter
agent,config: port enterprise only fields to embedded enterprise structs
2020-04-17 20:27:39 +00:00
// enterpriseAgent embeds fields that we only access in consul-enterprise builds
enterpriseAgent
Agent skeleton
2013-12-20 01:14:46 +00:00
}
Implement Client Agent Auto Config There are a couple of things in here. First, just like auto encrypt, any Cluster.AutoConfig RPC will implicitly use the less secure RPC mechanism. This drastically modifies how the Consul Agent starts up and moves most of the responsibilities (other than signal handling) from the cli command and into the Agent.
2020-06-10 20:47:35 +00:00
// New process the desired options and creates a new Agent.
// This process will
// * parse the config given the config Flags
// * setup logging
// * using predefined logger given in an option
// OR
// * initialize a new logger from the configuration
// including setting up gRPC logging
// * initialize telemetry
// * create a TLS Configurator
// * build a shared connection pool
// * create the ServiceManager
// * setup the NodeID if one isn't provided in the configuration
// * create the AutoConfig object for future use in fully
// resolving the configuration
agent: extract dependency creation from New With this change, Agent.New() accepts many of the dependencies instead of creating them in New. Accepting fully constructed dependencies from a constructor makes the type easier to test, and easier to change. There are still a number of dependencies created in Start() which can be addressed in a follow up.
2020-08-08 01:08:43 +00:00
func New(bd BaseDeps) (*Agent, error) {
tls: auto_encrypt enables automatic RPC cert provisioning for consul clients (#5597)
2019-06-27 20:22:07 +00:00
a := Agent{
Allow cancelling startup when performing auto-config (#8157) Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2020-06-19 19:16:00 +00:00
checkReapAfter: make(map[structs.CheckID]time.Duration),
checkMonitors: make(map[structs.CheckID]*checks.CheckMonitor),
checkTTLs: make(map[structs.CheckID]*checks.CheckTTL),
checkHTTPs: make(map[structs.CheckID]*checks.CheckHTTP),
checkTCPs: make(map[structs.CheckID]*checks.CheckTCP),
checkGRPCs: make(map[structs.CheckID]*checks.CheckGRPC),
checkDockers: make(map[structs.CheckID]*checks.CheckDocker),
checkAliases: make(map[structs.CheckID]*checks.CheckAlias),
eventCh: make(chan serf.UserEvent, 1024),
eventBuf: make([]*UserEvent, 256),
joinLANNotifier: &systemd.Notifier{},
retryJoinCh: make(chan error),
shutdownCh: make(chan struct{}),
endpoints: make(map[string]string),
Implement Client Agent Auto Config There are a couple of things in here. First, just like auto encrypt, any Cluster.AutoConfig RPC will implicitly use the less secure RPC mechanism. This drastically modifies how the Consul Agent starts up and moves most of the responsibilities (other than signal handling) from the cli command and into the Agent.
2020-06-10 20:47:35 +00:00
agent/consul: pass dependencies directly from agent In an upcoming change we will need to pass a grpc.ClientConnPool from BaseDeps into Server. While looking at that change I noticed all of the existing consulOption fields are already on BaseDeps. Instead of duplicating the fields, we can create a struct used by agent/consul, and use that struct in BaseDeps. This allows us to pass along dependencies without translating them into different representations. I also looked at moving all of BaseDeps in agent/consul, however that created some circular imports. Resolving those cycles wouldn't be too bad (it was only an error in agent/consul being imported from cache-types), however this change seems a little better by starting to introduce some structure to BaseDeps. This change is also a small step in reducing the scope of Agent. Also remove some constants that were only used by tests, and move the relevant comment to where the live configuration is set. Removed some validation from NewServer and NewClient, as these are not really runtime errors. They would be code errors, which will cause a panic anyway, so no reason to handle them specially here.
2020-09-14 22:31:07 +00:00
baseDeps: bd,
agent: extract dependency creation from New With this change, Agent.New() accepts many of the dependencies instead of creating them in New. Accepting fully constructed dependencies from a constructor makes the type easier to test, and easier to change. There are still a number of dependencies created in Start() which can be addressed in a follow up.
2020-08-08 01:08:43 +00:00
tokens: bd.Tokens,
logger: bd.Logger,
tlsConfigurator: bd.TLSConfigurator,
config: bd.RuntimeConfig,
cache: bd.Cache,
tls: auto_encrypt enables automatic RPC cert provisioning for consul clients (#5597)
2019-06-27 20:22:07 +00:00
}
Implement Client Agent Auto Config There are a couple of things in here. First, just like auto encrypt, any Cluster.AutoConfig RPC will implicitly use the less secure RPC mechanism. This drastically modifies how the Consul Agent starts up and moves most of the responsibilities (other than signal handling) from the cli command and into the Agent.
2020-06-10 20:47:35 +00:00
Add config changes for UI metrics
2020-09-10 16:25:56 +00:00
// Initialize the UI Config
a.uiConfig.Store(a.config.UIConfig)
tls: auto_encrypt enables automatic RPC cert provisioning for consul clients (#5597)
2019-06-27 20:22:07 +00:00
a.serviceManager = NewServiceManager(&a)
agent: do not modify agent config after NewAgent
2017-06-30 21:56:05 +00:00
agent: extract dependency creation from New With this change, Agent.New() accepts many of the dependencies instead of creating them in New. Accepting fully constructed dependencies from a constructor makes the type easier to test, and easier to change. There are still a number of dependencies created in Start() which can be addressed in a follow up.
2020-08-08 01:08:43 +00:00
// TODO: do this somewhere else, maybe move to newBaseDeps
var err error
a.aclMasterAuthorizer, err = initializeACLs(bd.RuntimeConfig.NodeName)
agent: convert NodeID methods to functions Making these functions allows us to cleanup how an agent is initialized. They only make use of a config and a logger, so they do not need to be agent methods. Also cleanup the testing to use t.Run and require.
2020-08-07 23:24:51 +00:00
if err != nil {
agent: extract dependency creation from New With this change, Agent.New() accepts many of the dependencies instead of creating them in New. Accepting fully constructed dependencies from a constructor makes the type easier to test, and easier to change. There are still a number of dependencies created in Start() which can be addressed in a follow up.
2020-08-08 01:08:43 +00:00
return nil, err
tls: auto_encrypt enables automatic RPC cert provisioning for consul clients (#5597)
2019-06-27 20:22:07 +00:00
}
Agent Auto Config: Implement Certificate Generation (#8360) Most of the groundwork was laid in previous PRs between adding the cert-monitor package to extracting the logic of signing certificates out of the connect_ca_endpoint.go code and into a method on the server. This also refactors the auto-config package a bit to split things out into multiple files.
2020-07-28 19:31:48 +00:00
// We used to do this in the Start method. However it doesn't need to go
// there any longer. Originally it did because we passed the agent
// delegate to some of the cache registrations. Now we just
// pass the agent itself so its safe to move here.
a.registerCache()
agent/token: Move token persistence out of agent And into token.Store. This change isolates any awareness of token persistence in a single place. It is a small step in allowing Agent.New to accept its dependencies.
2020-08-17 23:30:25 +00:00
// TODO: why do we ignore failure to load persisted tokens?
_ = a.tokens.Load(bd.RuntimeConfig.ACLTokens, a.logger)
Merge of auto-config and auto-encrypt code (#8523) auto-encrypt is now handled as a special case of auto-config. This also is moving all the cert-monitor code into the auto-config package.
2020-08-31 17:12:17 +00:00
agent: add apiServers type for managing HTTP servers Remove Server field from HTTPServer. The field is no longer used.
2020-07-02 17:31:47 +00:00
// TODO: pass in a fully populated apiServers into Agent.New
a.apiServers = NewAPIServers(a.logger)
tls: auto_encrypt enables automatic RPC cert provisioning for consul clients (#5597)
2019-06-27 20:22:07 +00:00
return &a, nil
agent: move http/dns endpoints into agent Move the HTTP and DNS endpoints into the agent and control their lifespan via the agent. This removes the requirement to manage HTTP and DNS servers indpendent of the agent since the agent is mostly useless without an endpoint and the endpoints without the agent.
2017-05-19 09:53:41 +00:00
}
Run all known addresses through go-sockaddr/template. The following is now possible: ``` $ consul agent -dev -client="{{GetPrivateIP}}" -bind='{{GetInterfaceIP "en0"}}' ```
2016-12-02 05:35:38 +00:00
Implement Client Agent Auto Config There are a couple of things in here. First, just like auto encrypt, any Cluster.AutoConfig RPC will implicitly use the less secure RPC mechanism. This drastically modifies how the Consul Agent starts up and moves most of the responsibilities (other than signal handling) from the cli command and into the Agent.
2020-06-10 20:47:35 +00:00
// GetConfig retrieves the agents config
// TODO make export the config field and get rid of this method
// This is here for now to simplify the work I am doing and make
// reviewing the final PR easier.
func (a *Agent) GetConfig() *config.RuntimeConfig {
a.stateLock.Lock()
defer a.stateLock.Unlock()
return a.config
}
Add accessorID of token when ops are denied by ACL system (#7117) * agent: add and edit doc comments * agent: add ACL token accessorID to debugging traces * agent: polish acl debugging * agent: minor fix + string fmt over value interp * agent: undo export & fix logging field names * agent: remove note and migrate up to code review * Update agent/consul/acl.go Co-Authored-By: Matt Keeler <mkeeler@users.noreply.github.com> * agent: incorporate review feedback * Update agent/acl.go Co-Authored-By: R.B. Boyer <public@richardboyer.net> Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: R.B. Boyer <public@richardboyer.net>
2020-01-27 19:54:32 +00:00
// LocalConfig takes a config.RuntimeConfig and maps the fields to a local.Config
local state: tests compile
2017-08-28 12:17:13 +00:00
func LocalConfig(cfg *config.RuntimeConfig) local.Config {
lc := local.Config{
AdvertiseAddr: cfg.AdvertiseAddrLAN.String(),
CheckUpdateInterval: cfg.CheckUpdateInterval,
Datacenter: cfg.Datacenter,
DiscardCheckOutput: cfg.DiscardCheckOutput,
NodeID: cfg.NodeID,
NodeName: cfg.NodeName,
TaggedAddresses: map[string]string{},
}
for k, v := range cfg.TaggedAddresses {
lc.TaggedAddresses[k] = v
}
return lc
}
Add accessorID of token when ops are denied by ACL system (#7117) * agent: add and edit doc comments * agent: add ACL token accessorID to debugging traces * agent: polish acl debugging * agent: minor fix + string fmt over value interp * agent: undo export & fix logging field names * agent: remove note and migrate up to code review * Update agent/consul/acl.go Co-Authored-By: Matt Keeler <mkeeler@users.noreply.github.com> * agent: incorporate review feedback * Update agent/acl.go Co-Authored-By: R.B. Boyer <public@richardboyer.net> Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: R.B. Boyer <public@richardboyer.net>
2020-01-27 19:54:32 +00:00
// Start verifies its configuration and runs an agent's various subprocesses.
Allow cancelling startup when performing auto-config (#8157) Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2020-06-19 19:16:00 +00:00
func (a *Agent) Start(ctx context.Context) error {
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
a.stateLock.Lock()
defer a.stateLock.Unlock()
Implement Client Agent Auto Config There are a couple of things in here. First, just like auto encrypt, any Cluster.AutoConfig RPC will implicitly use the less secure RPC mechanism. This drastically modifies how the Consul Agent starts up and moves most of the responsibilities (other than signal handling) from the cli command and into the Agent.
2020-06-10 20:47:35 +00:00
// This needs to be done early on as it will potentially alter the configuration
// and then how other bits are brought up
agent/consul: pass dependencies directly from agent In an upcoming change we will need to pass a grpc.ClientConnPool from BaseDeps into Server. While looking at that change I noticed all of the existing consulOption fields are already on BaseDeps. Instead of duplicating the fields, we can create a struct used by agent/consul, and use that struct in BaseDeps. This allows us to pass along dependencies without translating them into different representations. I also looked at moving all of BaseDeps in agent/consul, however that created some circular imports. Resolving those cycles wouldn't be too bad (it was only an error in agent/consul being imported from cache-types), however this change seems a little better by starting to introduce some structure to BaseDeps. This change is also a small step in reducing the scope of Agent. Also remove some constants that were only used by tests, and move the relevant comment to where the live configuration is set. Removed some validation from NewServer and NewClient, as these are not really runtime errors. They would be code errors, which will cause a panic anyway, so no reason to handle them specially here.
2020-09-14 22:31:07 +00:00
c, err := a.baseDeps.AutoConfig.InitialConfiguration(ctx)
Implement Client Agent Auto Config There are a couple of things in here. First, just like auto encrypt, any Cluster.AutoConfig RPC will implicitly use the less secure RPC mechanism. This drastically modifies how the Consul Agent starts up and moves most of the responsibilities (other than signal handling) from the cli command and into the Agent.
2020-06-10 20:47:35 +00:00
if err != nil {
return err
}
// copy over the existing node id, this cannot be
// changed while running anyways but this prevents
// breaking some existing behavior. then overwrite
// the configuration
c.NodeID = a.config.NodeID
a.config = c
if err := a.tlsConfigurator.Update(a.config.ToTLSUtilConfig()); err != nil {
return fmt.Errorf("Failed to load TLS configurations after applying auto-config settings: %w", err)
}
agent: move http/dns endpoints into agent Move the HTTP and DNS endpoints into the agent and control their lifespan via the agent. This removes the requirement to manage HTTP and DNS servers indpendent of the agent since the agent is mostly useless without an endpoint and the endpoints without the agent.
2017-05-19 09:53:41 +00:00
agent: fix data race between consul server and local state
2017-06-29 12:35:55 +00:00
// create the local state
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
2017-08-30 10:25:49 +00:00
a.State = local.NewState(LocalConfig(c), a.logger, a.tokens)
agent: decouple anti-entropy from local state The anti-entropy code manages background synchronizations of the local state on a regular basis or on demand when either the state has changed or a new consul server has been added. This patch moves the anti-entropy code into its own package and decouples it from the local state code since they are performing two different functions. To simplify code-review this revision does not make any optimizations, renames or refactorings. This will happen in subsequent commits.
2017-08-28 12:17:09 +00:00
// create the state synchronization manager which performs
// regular and on-demand state synchronizations (anti-entropy).
ae: fix typo in constructor name
2017-10-19 09:20:24 +00:00
a.sync = ae.NewStateSyncer(a.State, c.AEInterval, a.shutdownCh, a.logger)
agent: fix data race between consul server and local state
2017-06-29 12:35:55 +00:00
// create the config for the rpc server/client
agent: unmethod consulConfig To allow us to move newConsulConfig out of Agent.
2020-07-29 17:49:52 +00:00
consulCfg, err := newConsulConfig(a.config, a.logger)
agent: fix data race between consul server and local state
2017-06-29 12:35:55 +00:00
if err != nil {
return err
}
agent: unmethod consulConfig To allow us to move newConsulConfig out of Agent.
2020-07-29 17:49:52 +00:00
// Setup the user event callback
consulCfg.UserEventHandler = func(e serf.UserEvent) {
select {
case a.eventCh <- e:
case <-a.shutdownCh:
}
}
agent: decouple anti-entropy from local state The anti-entropy code manages background synchronizations of the local state on a regular basis or on demand when either the state has changed or a new consul server has been added. This patch moves the anti-entropy code into its own package and decouples it from the local state code since they are performing two different functions. To simplify code-review this revision does not make any optimizations, renames or refactorings. This will happen in subsequent commits.
2017-08-28 12:17:09 +00:00
// ServerUp is used to inform that a new consul server is now
// up. This can be used to speed up the sync process if we are blocking
// waiting to discover a consul server
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
2017-08-30 10:25:49 +00:00
consulCfg.ServerUp = a.sync.SyncFull.Trigger
agent: fix data race between consul server and local state
2017-06-29 12:35:55 +00:00
agent: stub out auditing functionality in OSS
2020-04-16 22:07:52 +00:00
err = a.initEnterprise(consulCfg)
if err != nil {
return fmt.Errorf("failed to start Consul enterprise component: %v", err)
}
agent: fewer file local differences between enterprise and oss (#6820) (#6898) * Increase number to test ignore. Consul Enterprise has more flags and since we are trying to reduce the differences between both code bases, we are increasing the number in oss. The semantics don't change, it is just a cosmetic thing. * Introduce agent.initEnterprise for enterprise related hooks. * Sync test with ent version. * Fix import order. * revert error wording.
2019-12-06 20:35:58 +00:00
Adds ability to deregister a service based on critical check state longer than a timeout.
2016-08-16 07:05:55 +00:00
// Setup either the client or the server.
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
if c.ServerMode {
agent/consul: pass dependencies directly from agent In an upcoming change we will need to pass a grpc.ClientConnPool from BaseDeps into Server. While looking at that change I noticed all of the existing consulOption fields are already on BaseDeps. Instead of duplicating the fields, we can create a struct used by agent/consul, and use that struct in BaseDeps. This allows us to pass along dependencies without translating them into different representations. I also looked at moving all of BaseDeps in agent/consul, however that created some circular imports. Resolving those cycles wouldn't be too bad (it was only an error in agent/consul being imported from cache-types), however this change seems a little better by starting to introduce some structure to BaseDeps. This change is also a small step in reducing the scope of Agent. Also remove some constants that were only used by tests, and move the relevant comment to where the live configuration is set. Removed some validation from NewServer and NewClient, as these are not really runtime errors. They would be code errors, which will cause a panic anyway, so no reason to handle them specially here.
2020-09-14 22:31:07 +00:00
server, err := consul.NewServer(consulCfg, a.baseDeps.Deps)
agent: move http/dns endpoints into agent Move the HTTP and DNS endpoints into the agent and control their lifespan via the agent. This removes the requirement to manage HTTP and DNS servers indpendent of the agent since the agent is mostly useless without an endpoint and the endpoints without the agent.
2017-05-19 09:53:41 +00:00
if err != nil {
agent: fix data race between consul server and local state
2017-06-29 12:35:55 +00:00
return fmt.Errorf("Failed to start Consul server: %v", err)
agent: move http/dns endpoints into agent Move the HTTP and DNS endpoints into the agent and control their lifespan via the agent. This removes the requirement to manage HTTP and DNS servers indpendent of the agent since the agent is mostly useless without an endpoint and the endpoints without the agent.
2017-05-19 09:53:41 +00:00
}
a.delegate = server
Filling in Agent basics
2013-12-20 23:33:13 +00:00
} else {
agent/consul: pass dependencies directly from agent In an upcoming change we will need to pass a grpc.ClientConnPool from BaseDeps into Server. While looking at that change I noticed all of the existing consulOption fields are already on BaseDeps. Instead of duplicating the fields, we can create a struct used by agent/consul, and use that struct in BaseDeps. This allows us to pass along dependencies without translating them into different representations. I also looked at moving all of BaseDeps in agent/consul, however that created some circular imports. Resolving those cycles wouldn't be too bad (it was only an error in agent/consul being imported from cache-types), however this change seems a little better by starting to introduce some structure to BaseDeps. This change is also a small step in reducing the scope of Agent. Also remove some constants that were only used by tests, and move the relevant comment to where the live configuration is set. Removed some validation from NewServer and NewClient, as these are not really runtime errors. They would be code errors, which will cause a panic anyway, so no reason to handle them specially here.
2020-09-14 22:31:07 +00:00
client, err := consul.NewClient(consulCfg, a.baseDeps.Deps)
agent: move http/dns endpoints into agent Move the HTTP and DNS endpoints into the agent and control their lifespan via the agent. This removes the requirement to manage HTTP and DNS servers indpendent of the agent since the agent is mostly useless without an endpoint and the endpoints without the agent.
2017-05-19 09:53:41 +00:00
if err != nil {
agent: fix data race between consul server and local state
2017-06-29 12:35:55 +00:00
return fmt.Errorf("Failed to start Consul client: %v", err)
agent: move http/dns endpoints into agent Move the HTTP and DNS endpoints into the agent and control their lifespan via the agent. This removes the requirement to manage HTTP and DNS servers indpendent of the agent since the agent is mostly useless without an endpoint and the endpoints without the agent.
2017-05-19 09:53:41 +00:00
}
a.delegate = client
Filling in Agent basics
2013-12-20 23:33:13 +00:00
}
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
2017-08-30 10:25:49 +00:00
// the staggering of the state syncing depends on the cluster size.
a.sync.ClusterSize = func() int { return len(a.delegate.LANMembers()) }
// link the state with the consul server/client and the state syncer
// via callbacks. After several attempts this was easier than using
// channels since the event notification needs to be non-blocking
// and that should be hidden in the state syncer implementation.
a.State.Delegate = a.delegate
a.State.TriggerSyncChanges = a.sync.SyncChanges.Trigger
agent/consul: pass dependencies directly from agent In an upcoming change we will need to pass a grpc.ClientConnPool from BaseDeps into Server. While looking at that change I noticed all of the existing consulOption fields are already on BaseDeps. Instead of duplicating the fields, we can create a struct used by agent/consul, and use that struct in BaseDeps. This allows us to pass along dependencies without translating them into different representations. I also looked at moving all of BaseDeps in agent/consul, however that created some circular imports. Resolving those cycles wouldn't be too bad (it was only an error in agent/consul being imported from cache-types), however this change seems a little better by starting to introduce some structure to BaseDeps. This change is also a small step in reducing the scope of Agent. Also remove some constants that were only used by tests, and move the relevant comment to where the live configuration is set. Removed some validation from NewServer and NewClient, as these are not really runtime errors. They would be code errors, which will cause a panic anyway, so no reason to handle them specially here.
2020-09-14 22:31:07 +00:00
if err := a.baseDeps.AutoConfig.Start(&lib.StopChannelContext{StopCh: a.shutdownCh}); err != nil {
Agent Auto Config: Implement Certificate Generation (#8360) Most of the groundwork was laid in previous PRs between adding the cert-monitor package to extracting the logic of signing certificates out of the connect_ca_endpoint.go code and into a method on the server. This also refactors the auto-config package a bit to split things out into multiple files.
2020-07-28 19:31:48 +00:00
return fmt.Errorf("AutoConf failed to start certificate monitor: %w", err)
}
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
a.serviceManager.Start()
Add support for setting node metadata fields
2017-01-05 22:10:26 +00:00
// Load checks/services/metadata.
agent: configuration reload preserves check's statuses for services (#7345) This fixes issue #7318 Between versions 1.5.2 and 1.5.3, a regression has been introduced regarding health of services. A patch #6144 had been issued for HealthChecks of nodes, but not for healthchecks of services. What happened when a reload was: 1. save all healthcheck statuses 2. cleanup everything 3. add new services with healthchecks In step 3, the state of healthchecks was taken into account locally, so at step 3, but since we cleaned up at step 2, state was lost. This PR introduces the snap parameter, so step 3 can use information from step 1
2020-03-09 11:59:41 +00:00
if err := a.loadServices(c, nil); err != nil {
agent: move http/dns endpoints into agent Move the HTTP and DNS endpoints into the agent and control their lifespan via the agent. This removes the requirement to manage HTTP and DNS servers indpendent of the agent since the agent is mostly useless without an endpoint and the endpoints without the agent.
2017-05-19 09:53:41 +00:00
return err
agent: first pass at local service and check persistence
2014-11-24 08:36:03 +00:00
}
agent: avoid reverting any check updates that occur while a service is being added or the config is reloaded (#6144)
2019-07-17 19:06:50 +00:00
if err := a.loadChecks(c, nil); err != nil {
agent: move http/dns endpoints into agent Move the HTTP and DNS endpoints into the agent and control their lifespan via the agent. This removes the requirement to manage HTTP and DNS servers indpendent of the agent since the agent is mostly useless without an endpoint and the endpoints without the agent.
2017-05-19 09:53:41 +00:00
return err
agent: first pass at local service and check persistence
2014-11-24 08:36:03 +00:00
}
agent: move http/dns endpoints into agent Move the HTTP and DNS endpoints into the agent and control their lifespan via the agent. This removes the requirement to manage HTTP and DNS servers indpendent of the agent since the agent is mostly useless without an endpoint and the endpoints without the agent.
2017-05-19 09:53:41 +00:00
if err := a.loadMetadata(c); err != nil {
return err
Add support for setting node metadata fields
2017-01-05 22:10:26 +00:00
}
agent: first pass at local service and check persistence
2014-11-24 08:36:03 +00:00
xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569)
2020-08-27 17:20:58 +00:00
var intentionDefaultAllow bool
switch a.config.ACLDefaultPolicy {
case "allow":
intentionDefaultAllow = true
case "deny":
intentionDefaultAllow = false
default:
return fmt.Errorf("unexpected ACL default policy value of %q", a.config.ACLDefaultPolicy)
}
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review
2018-10-03 19:37:53 +00:00
// Start the proxy config manager.
a.proxyConfig, err = proxycfg.NewManager(proxycfg.ManagerConfig{
Cache: a.cache,
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
Logger: a.logger.Named(logging.ProxyConfig),
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review
2018-10-03 19:37:53 +00:00
State: a.State,
Source: &structs.QuerySource{
Node: a.config.NodeName,
Datacenter: a.config.Datacenter,
Segment: a.config.SegmentName,
},
Add TLS option and DNS SAN support to ingress config xds: Only set TLS context for ingress listener when requested
2020-04-27 23:36:20 +00:00
DNSConfig: proxycfg.DNSConfig{
Domain: a.config.DNSDomain,
AltDomain: a.config.DNSAltDomain,
},
xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569)
2020-08-27 17:20:58 +00:00
TLSConfigurator: a.tlsConfigurator,
IntentionDefaultAllow: intentionDefaultAllow,
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review
2018-10-03 19:37:53 +00:00
})
if err != nil {
return err
}
Fix up tests broken by master merge; add proxy tests to services command (and fix it!); actually run the proxycfg.Manager
2018-10-04 13:08:12 +00:00
go func() {
if err := a.proxyConfig.Run(); err != nil {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Error("proxy config manager exited with error", "error", err)
Fix up tests broken by master merge; add proxy tests to services command (and fix it!); actually run the proxycfg.Manager
2018-10-04 13:08:12 +00:00
}
}()
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review
2018-10-03 19:37:53 +00:00
Adds ability to deregister a service based on critical check state longer than a timeout.
2016-08-16 07:05:55 +00:00
// Start watching for critical services to deregister, based on their
// checks.
agent: move http/dns endpoints into agent Move the HTTP and DNS endpoints into the agent and control their lifespan via the agent. This removes the requirement to manage HTTP and DNS servers indpendent of the agent since the agent is mostly useless without an endpoint and the endpoints without the agent.
2017-05-19 09:53:41 +00:00
go a.reapServices()
Adds ability to deregister a service based on critical check state longer than a timeout.
2016-08-16 07:05:55 +00:00
// Start handling events.
agent: move http/dns endpoints into agent Move the HTTP and DNS endpoints into the agent and control their lifespan via the agent. This removes the requirement to manage HTTP and DNS servers indpendent of the agent since the agent is mostly useless without an endpoint and the endpoints without the agent.
2017-05-19 09:53:41 +00:00
go a.handleEvents()
agent: working on user events
2014-08-27 23:49:12 +00:00
Does a clean up pass on the Consul side.
2015-06-06 03:31:33 +00:00
// Start sending network coordinate to the server.
agent: move http/dns endpoints into agent Move the HTTP and DNS endpoints into the agent and control their lifespan via the agent. This removes the requirement to manage HTTP and DNS servers indpendent of the agent since the agent is mostly useless without an endpoint and the endpoints without the agent.
2017-05-19 09:53:41 +00:00
if !c.DisableCoordinates {
go a.sendCoordinate()
Does a clean up pass on the Consul side.
2015-06-06 03:31:33 +00:00
}
Adds ability to deregister a service based on critical check state longer than a timeout.
2016-08-16 07:05:55 +00:00
// Write out the PID file if necessary.
agent: move http/dns endpoints into agent Move the HTTP and DNS endpoints into the agent and control their lifespan via the agent. This removes the requirement to manage HTTP and DNS servers indpendent of the agent since the agent is mostly useless without an endpoint and the endpoints without the agent.
2017-05-19 09:53:41 +00:00
if err := a.storePid(); err != nil {
return err
Return pid file errors and fix help formatting
2014-05-06 16:57:53 +00:00
}
Add flag to agent to write pid file
2014-05-06 03:29:50 +00:00
agent: refactor DNS and HTTP server * refactor DNS server to be ready for multiple bind addresses * drop tcpKeepAliveListener since it is default for the HTTP servers * add startup timeout watcher for HTTP servers identical to DNS server
2017-05-24 13:22:56 +00:00
// start DNS servers
if err := a.listenAndServeDNS(); err != nil {
return err
}
Security fixes (#7182) * Mitigate HTTP/RPC Services Allow Unbounded Resource Usage Fixes #7159. Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: Paul Banks <banks@banksco.de>
2020-01-31 16:19:37 +00:00
// Configure the http connection limiter.
a.httpConnLimiter.SetConfig(connlimit.Config{
MaxConnsPerClientIP: a.config.HTTPMaxConnsPerClient,
})
Adds HTTP/2 support to Consul's HTTPS server. (#3657) * Refactors the HTTP listen path to create servers in the same spot. * Adds HTTP/2 support to Consul's HTTPS server. * Vendors Go HTTP/2 library and associated deps.
2017-11-07 23:06:59 +00:00
// Create listeners and unstarted servers; see comment on listenHTTP why
// we are doing this.
servers, err := a.listenHTTP()
agent: refactor DNS and HTTP server * refactor DNS server to be ready for multiple bind addresses * drop tcpKeepAliveListener since it is default for the HTTP servers * add startup timeout watcher for HTTP servers identical to DNS server
2017-05-24 13:22:56 +00:00
if err != nil {
return err
}
Adds HTTP/2 support to Consul's HTTPS server. (#3657) * Refactors the HTTP listen path to create servers in the same spot. * Adds HTTP/2 support to Consul's HTTPS server. * Vendors Go HTTP/2 library and associated deps.
2017-11-07 23:06:59 +00:00
// Start HTTP and HTTPS servers.
for _, srv := range servers {
agent: add apiServers type for managing HTTP servers Remove Server field from HTTPServer. The field is no longer used.
2020-07-02 17:31:47 +00:00
a.apiServers.Start(srv)
agent: refactor DNS and HTTP server * refactor DNS server to be ready for multiple bind addresses * drop tcpKeepAliveListener since it is default for the HTTP servers * add startup timeout watcher for HTTP servers identical to DNS server
2017-05-24 13:22:56 +00:00
}
agent: move retry join into agent
2017-06-02 09:55:29 +00:00
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review
2018-10-03 19:37:53 +00:00
// Start gRPC server.
if err := a.listenAndServeGRPC(); err != nil {
return err
}
agent: move watch plans into agent
2017-06-09 08:03:49 +00:00
// register watches
Fixes watch tracking during reloads and fixes address issue. (#3189) This patch fixes watch registration through the config file and a broken log line when the watch registration fails. It also plumbs all the watch loading through a common function and tweaks the unit test to create the watch before the reload.
2017-06-24 19:52:41 +00:00
if err := a.reloadWatches(a.config); err != nil {
agent: move watch plans into agent
2017-06-09 08:03:49 +00:00
return err
}
agent: move retry join into agent
2017-06-02 09:55:29 +00:00
// start retry join
agent: support go-discover retry-join for wan
2017-08-19 08:44:19 +00:00
go a.retryJoinLAN()
wan federation via mesh gateways (#6884) This is like a Möbius strip of code due to the fact that low-level components (serf/memberlist) are connected to high-level components (the catalog and mesh-gateways) in a twisty maze of references which make it hard to dive into. With that in mind here's a high level summary of what you'll find in the patch: There are several distinct chunks of code that are affected: * new flags and config options for the server * retry join WAN is slightly different * retry join code is shared to discover primary mesh gateways from secondary datacenters * because retry join logic runs in the *agent* and the results of that operation for primary mesh gateways are needed in the *server* there are some methods like `RefreshPrimaryGatewayFallbackAddresses` that must occur at multiple layers of abstraction just to pass the data down to the right layer. * new cache type `FederationStateListMeshGatewaysName` for use in `proxycfg/xds` layers * the function signature for RPC dialing picked up a new required field (the node name of the destination) * several new RPCs for manipulating a FederationState object: `FederationState:{Apply,Get,List,ListMeshGateways}` * 3 read-only internal APIs for debugging use to invoke those RPCs from curl * raft and fsm changes to persist these FederationStates * replication for FederationStates as they are canonically stored in the Primary and replicated to the Secondaries. * a special derivative of anti-entropy that runs in secondaries to snapshot their local mesh gateway `CheckServiceNodes` and sync them into their upstream FederationState in the primary (this works in conjunction with the replication to distribute addresses for all mesh gateways in all DCs to all other DCs) * a "gateway locator" convenience object to make use of this data to choose the addresses of gateways to use for any given RPC or gossip operation to a remote DC. This gets data from the "retry join" logic in the agent and also directly calls into the FSM. * RPC (`:8300`) on the server sniffs the first byte of a new connection to determine if it's actually doing native TLS. If so it checks the ALPN header for protocol determination (just like how the existing system uses the type-byte marker). * 2 new kinds of protocols are exclusively decoded via this native TLS mechanism: one for ferrying "packet" operations (udp-like) from the gossip layer and one for "stream" operations (tcp-like). The packet operations re-use sockets (using length-prefixing) to cut down on TLS re-negotiation overhead. * the server instances specially wrap the `memberlist.NetTransport` when running with gateway federation enabled (in a `wanfed.Transport`). The general gist is that if it tries to dial a node in the SAME datacenter (deduced by looking at the suffix of the node name) there is no change. If dialing a DIFFERENT datacenter it is wrapped up in a TLS+ALPN blob and sent through some mesh gateways to eventually end up in a server's :8300 port. * a new flag when launching a mesh gateway via `consul connect envoy` to indicate that the servers are to be exposed. This sets a special service meta when registering the gateway into the catalog. * `proxycfg/xds` notice this metadata blob to activate additional watches for the FederationState objects as well as the location of all of the consul servers in that datacenter. * `xds:` if the extra metadata is in place additional clusters are defined in a DC to bulk sink all traffic to another DC's gateways. For the current datacenter we listen on a wildcard name (`server.<dc>.consul`) that load balances all servers as well as one mini-cluster per node (`<node>.server.<dc>.consul`) * the `consul tls cert create` command got a new flag (`-node`) to help create an additional SAN in certs that can be used with this flavor of federation.
2020-03-09 20:59:02 +00:00
if a.config.ServerMode {
go a.retryJoinWAN()
}
agent: move retry join into agent
2017-06-02 09:55:29 +00:00
agent: refactor DNS and HTTP server * refactor DNS server to be ready for multiple bind addresses * drop tcpKeepAliveListener since it is default for the HTTP servers * add startup timeout watcher for HTTP servers identical to DNS server
2017-05-24 13:22:56 +00:00
return nil
}
agent: add apiServers type for managing HTTP servers Remove Server field from HTTPServer. The field is no longer used.
2020-07-02 17:31:47 +00:00
// Failed returns a channel which is closed when the first server goroutine exits
// with a non-nil error.
func (a *Agent) Failed() <-chan struct{} {
return a.apiServers.failed
}
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review
2018-10-03 19:37:53 +00:00
func (a *Agent) listenAndServeGRPC() error {
if len(a.config.GRPCAddrs) < 1 {
return nil
}
agent: Remove xdsServer field The field is only referenced from a single method, it can be a local var
2020-03-21 18:59:39 +00:00
xdsServer := &xds.Server{
New ACLs (#4791) This PR is almost a complete rewrite of the ACL system within Consul. It brings the features more in line with other HashiCorp products. Obviously there is quite a bit left to do here but most of it is related docs, testing and finishing the last few commands in the CLI. I will update the PR description and check off the todos as I finish them over the next few days/week. Description At a high level this PR is mainly to split ACL tokens from Policies and to split the concepts of Authorization from Identities. A lot of this PR is mostly just to support CRUD operations on ACLTokens and ACLPolicies. These in and of themselves are not particularly interesting. The bigger conceptual changes are in how tokens get resolved, how backwards compatibility is handled and the separation of policy from identity which could lead the way to allowing for alternative identity providers. On the surface and with a new cluster the ACL system will look very similar to that of Nomads. Both have tokens and policies. Both have local tokens. The ACL management APIs for both are very similar. I even ripped off Nomad's ACL bootstrap resetting procedure. There are a few key differences though. Nomad requires token and policy replication where Consul only requires policy replication with token replication being opt-in. In Consul local tokens only work with token replication being enabled though. All policies in Nomad are globally applicable. In Consul all policies are stored and replicated globally but can be scoped to a subset of the datacenters. This allows for more granular access management. Unlike Nomad, Consul has legacy baggage in the form of the original ACL system. The ramifications of this are: A server running the new system must still support other clients using the legacy system. A client running the new system must be able to use the legacy RPCs when the servers in its datacenter are running the legacy system. The primary ACL DC's servers running in legacy mode needs to be a gate that keeps everything else in the entire multi-DC cluster running in legacy mode. So not only does this PR implement the new ACL system but has a legacy mode built in for when the cluster isn't ready for new ACLs. Also detecting that new ACLs can be used is automatic and requires no configuration on the part of administrators. This process is detailed more in the "Transitioning from Legacy to New ACL Mode" section below.
2018-10-19 16:04:07 +00:00
Logger: a.logger,
CfgMgr: a.proxyConfig,
ResolveToken: a.resolveToken,
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
CheckFetcher: a,
CfgFetcher: a,
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review
2018-10-03 19:37:53 +00:00
}
agent: Remove xdsServer field The field is only referenced from a single method, it can be a local var
2020-03-21 18:59:39 +00:00
xdsServer.Initialize()
Check ACLs more often for xDS endpoints. For established xDS gRPC streams recheck ACLs for each DiscoveryRequest or DiscoveryResponse. If more than 5 minutes has elapsed since the last ACL check, recheck even without an incoming DiscoveryRequest or DiscoveryResponse. ACL failures will terminate the stream.
2019-01-11 15:43:18 +00:00
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review
2018-10-03 19:37:53 +00:00
var err error
agent: only enable TLS on gRPC if the HTTPS API port is enabled (#5287) Currently the gRPC server assumes that if you have configured TLS certs on the agent (for RPC) that you want gRPC to be encrypted. If gRPC is bound to localhost this can be overkill. For the API we let the user choose to offer HTTP or HTTPS API endpoints independently of the TLS cert configuration for a similar reason. This setting will let someone encrypt RPC traffic with TLS but avoid encrypting local gRPC traffic if that is what they want to do by only enabling TLS on gRPC if the HTTPS API port is enabled.
2019-02-13 17:49:54 +00:00
if a.config.HTTPSPort > 0 {
// gRPC uses the same TLS settings as the HTTPS API. If HTTPS is
// enabled then gRPC will require HTTPS as well.
agent: Remove xdsServer field The field is only referenced from a single method, it can be a local var
2020-03-21 18:59:39 +00:00
a.grpcServer, err = xdsServer.GRPCServer(a.tlsConfigurator)
agent: only enable TLS on gRPC if the HTTPS API port is enabled (#5287) Currently the gRPC server assumes that if you have configured TLS certs on the agent (for RPC) that you want gRPC to be encrypted. If gRPC is bound to localhost this can be overkill. For the API we let the user choose to offer HTTP or HTTPS API endpoints independently of the TLS cert configuration for a similar reason. This setting will let someone encrypt RPC traffic with TLS but avoid encrypting local gRPC traffic if that is what they want to do by only enabling TLS on gRPC if the HTTPS API port is enabled.
2019-02-13 17:49:54 +00:00
} else {
agent: Remove xdsServer field The field is only referenced from a single method, it can be a local var
2020-03-21 18:59:39 +00:00
a.grpcServer, err = xdsServer.GRPCServer(nil)
agent: only enable TLS on gRPC if the HTTPS API port is enabled (#5287) Currently the gRPC server assumes that if you have configured TLS certs on the agent (for RPC) that you want gRPC to be encrypted. If gRPC is bound to localhost this can be overkill. For the API we let the user choose to offer HTTP or HTTPS API endpoints independently of the TLS cert configuration for a similar reason. This setting will let someone encrypt RPC traffic with TLS but avoid encrypting local gRPC traffic if that is what they want to do by only enabling TLS on gRPC if the HTTPS API port is enabled.
2019-02-13 17:49:54 +00:00
}
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review
2018-10-03 19:37:53 +00:00
if err != nil {
return err
}
ln, err := a.startListeners(a.config.GRPCAddrs)
if err != nil {
return err
}
for _, l := range ln {
go func(innerL net.Listener) {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Info("Started gRPC server",
"address", innerL.Addr().String(),
"network", innerL.Addr().Network(),
)
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review
2018-10-03 19:37:53 +00:00
err := a.grpcServer.Serve(innerL)
if err != nil {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Error("gRPC server failed", "error", err)
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review
2018-10-03 19:37:53 +00:00
}
}(l)
}
return nil
}
agent: refactor DNS and HTTP server * refactor DNS server to be ready for multiple bind addresses * drop tcpKeepAliveListener since it is default for the HTTP servers * add startup timeout watcher for HTTP servers identical to DNS server
2017-05-24 13:22:56 +00:00
func (a *Agent) listenAndServeDNS() error {
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
notif := make(chan net.Addr, len(a.config.DNSAddrs))
Ensure that errors setting up the DNS servers get propagated back to the shell (#4598) Fixes: #4578 Prior to this fix if there was an error binding to ports for the DNS servers the error would be swallowed by the gated log writer and never output. This fix propagates the DNS server errors back to the shell with a multierror.
2018-09-07 14:48:29 +00:00
errCh := make(chan error, len(a.config.DNSAddrs))
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
for _, addr := range a.config.DNSAddrs {
agent: refactor DNS and HTTP server * refactor DNS server to be ready for multiple bind addresses * drop tcpKeepAliveListener since it is default for the HTTP servers * add startup timeout watcher for HTTP servers identical to DNS server
2017-05-24 13:22:56 +00:00
// create server
s, err := NewDNSServer(a)
agent: move http/dns endpoints into agent Move the HTTP and DNS endpoints into the agent and control their lifespan via the agent. This removes the requirement to manage HTTP and DNS servers indpendent of the agent since the agent is mostly useless without an endpoint and the endpoints without the agent.
2017-05-19 09:53:41 +00:00
if err != nil {
agent: refactor DNS and HTTP server * refactor DNS server to be ready for multiple bind addresses * drop tcpKeepAliveListener since it is default for the HTTP servers * add startup timeout watcher for HTTP servers identical to DNS server
2017-05-24 13:22:56 +00:00
return err
agent: move http/dns endpoints into agent Move the HTTP and DNS endpoints into the agent and control their lifespan via the agent. This removes the requirement to manage HTTP and DNS servers indpendent of the agent since the agent is mostly useless without an endpoint and the endpoints without the agent.
2017-05-19 09:53:41 +00:00
}
agent: refactor DNS and HTTP server * refactor DNS server to be ready for multiple bind addresses * drop tcpKeepAliveListener since it is default for the HTTP servers * add startup timeout watcher for HTTP servers identical to DNS server
2017-05-24 13:22:56 +00:00
a.dnsServers = append(a.dnsServers, s)
// start server
a.wgServers.Add(1)
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
go func(addr net.Addr) {
agent: refactor DNS and HTTP server * refactor DNS server to be ready for multiple bind addresses * drop tcpKeepAliveListener since it is default for the HTTP servers * add startup timeout watcher for HTTP servers identical to DNS server
2017-05-24 13:22:56 +00:00
defer a.wgServers.Done()
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
err := s.ListenAndServe(addr.Network(), addr.String(), func() { notif <- addr })
agent: refactor DNS and HTTP server * refactor DNS server to be ready for multiple bind addresses * drop tcpKeepAliveListener since it is default for the HTTP servers * add startup timeout watcher for HTTP servers identical to DNS server
2017-05-24 13:22:56 +00:00
if err != nil && !strings.Contains(err.Error(), "accept") {
Ensure that errors setting up the DNS servers get propagated back to the shell (#4598) Fixes: #4578 Prior to this fix if there was an error binding to ports for the DNS servers the error would be swallowed by the gated log writer and never output. This fix propagates the DNS server errors back to the shell with a multierror.
2018-09-07 14:48:29 +00:00
errCh <- err
agent: refactor DNS and HTTP server * refactor DNS server to be ready for multiple bind addresses * drop tcpKeepAliveListener since it is default for the HTTP servers * add startup timeout watcher for HTTP servers identical to DNS server
2017-05-24 13:22:56 +00:00
}
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
}(addr)
agent: move http/dns endpoints into agent Move the HTTP and DNS endpoints into the agent and control their lifespan via the agent. This removes the requirement to manage HTTP and DNS servers indpendent of the agent since the agent is mostly useless without an endpoint and the endpoints without the agent.
2017-05-19 09:53:41 +00:00
}
agent: refactor DNS and HTTP server * refactor DNS server to be ready for multiple bind addresses * drop tcpKeepAliveListener since it is default for the HTTP servers * add startup timeout watcher for HTTP servers identical to DNS server
2017-05-24 13:22:56 +00:00
// wait for servers to be up
timeout := time.After(time.Second)
Ensure that errors setting up the DNS servers get propagated back to the shell (#4598) Fixes: #4578 Prior to this fix if there was an error binding to ports for the DNS servers the error would be swallowed by the gated log writer and never output. This fix propagates the DNS server errors back to the shell with a multierror.
2018-09-07 14:48:29 +00:00
var merr *multierror.Error
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
for range a.config.DNSAddrs {
agent: refactor DNS and HTTP server * refactor DNS server to be ready for multiple bind addresses * drop tcpKeepAliveListener since it is default for the HTTP servers * add startup timeout watcher for HTTP servers identical to DNS server
2017-05-24 13:22:56 +00:00
select {
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
case addr := <-notif:
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Info("Started DNS server",
"address", addr.String(),
"network", addr.Network(),
)
ACL Token Persistence and Reloading (#5328) This PR adds two features which will be useful for operators when ACLs are in use. 1. Tokens set in configuration files are now reloadable. 2. If `acl.enable_token_persistence` is set to `true` in the configuration, tokens set via the `v1/agent/token` endpoint are now persisted to disk and loaded when the agent starts (or during configuration reload) Note that token persistence is opt-in so our users who do not want tokens on the local disk will see no change. Some other secondary changes: * Refactored a bunch of places where the replication token is retrieved from the token store. This token isn't just for replicating ACLs and now it is named accordingly. * Allowed better paths in the `v1/agent/token/` API. Instead of paths like: `v1/agent/token/acl_replication_token` the path can now be just `v1/agent/token/replication`. The old paths remain to be valid. * Added a couple new API functions to set tokens via the new paths. Deprecated the old ones and pointed to the new names. The names are also generally better and don't imply that what you are setting is for ACLs but rather are setting ACL tokens. There is a minor semantic difference there especially for the replication token as again, its no longer used only for ACL token/policy replication. The new functions will detect 404s and fallback to using the older token paths when talking to pre-1.4.3 agents. * Docs updated to reflect the API additions and to show using the new endpoints. * Updated the ACL CLI set-agent-tokens command to use the non-deprecated APIs.
2019-02-27 19:28:31 +00:00
Ensure that errors setting up the DNS servers get propagated back to the shell (#4598) Fixes: #4578 Prior to this fix if there was an error binding to ports for the DNS servers the error would be swallowed by the gated log writer and never output. This fix propagates the DNS server errors back to the shell with a multierror.
2018-09-07 14:48:29 +00:00
case err := <-errCh:
merr = multierror.Append(merr, err)
agent: refactor DNS and HTTP server * refactor DNS server to be ready for multiple bind addresses * drop tcpKeepAliveListener since it is default for the HTTP servers * add startup timeout watcher for HTTP servers identical to DNS server
2017-05-24 13:22:56 +00:00
case <-timeout:
Ensure that errors setting up the DNS servers get propagated back to the shell (#4598) Fixes: #4578 Prior to this fix if there was an error binding to ports for the DNS servers the error would be swallowed by the gated log writer and never output. This fix propagates the DNS server errors back to the shell with a multierror.
2018-09-07 14:48:29 +00:00
merr = multierror.Append(merr, fmt.Errorf("agent: timeout starting DNS servers"))
ci: Add staticcheck and fix most errors Three of the checks are temporarily disabled to limit the size of the diff, and allow us to enable all the other checks in CI. In a follow up we can fix the issues reported by the other checks one at a time, and enable them.
2020-05-14 21:02:52 +00:00
return merr.ErrorOrNil()
agent: refactor DNS and HTTP server * refactor DNS server to be ready for multiple bind addresses * drop tcpKeepAliveListener since it is default for the HTTP servers * add startup timeout watcher for HTTP servers identical to DNS server
2017-05-24 13:22:56 +00:00
}
}
Ensure that errors setting up the DNS servers get propagated back to the shell (#4598) Fixes: #4578 Prior to this fix if there was an error binding to ports for the DNS servers the error would be swallowed by the gated log writer and never output. This fix propagates the DNS server errors back to the shell with a multierror.
2018-09-07 14:48:29 +00:00
return merr.ErrorOrNil()
agent: move http/dns endpoints into agent Move the HTTP and DNS endpoints into the agent and control their lifespan via the agent. This removes the requirement to manage HTTP and DNS servers indpendent of the agent since the agent is mostly useless without an endpoint and the endpoints without the agent.
2017-05-19 09:53:41 +00:00
}
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review
2018-10-03 19:37:53 +00:00
func (a *Agent) startListeners(addrs []net.Addr) ([]net.Listener, error) {
var ln []net.Listener
for _, addr := range addrs {
var l net.Listener
var err error
switch x := addr.(type) {
case *net.UnixAddr:
l, err = a.listenSocket(x.Name)
if err != nil {
return nil, err
}
case *net.TCPAddr:
l, err = net.Listen("tcp", x.String())
if err != nil {
return nil, err
}
l = &tcpKeepAliveListener{l.(*net.TCPListener)}
default:
return nil, fmt.Errorf("unsupported address type %T", addr)
}
ln = append(ln, l)
}
return ln, nil
}
agent: refactor DNS and HTTP server * refactor DNS server to be ready for multiple bind addresses * drop tcpKeepAliveListener since it is default for the HTTP servers * add startup timeout watcher for HTTP servers identical to DNS server
2017-05-24 13:22:56 +00:00
// listenHTTP binds listeners to the provided addresses and also returns
// pre-configured HTTP servers which are not yet started. The motivation is
// that in the current startup/shutdown setup we de-couple the listener
// creation from the server startup assuming that if any of the listeners
// cannot be bound we fail immediately and later failures do not occur.
// Therefore, starting a server with a running listener is assumed to not
// produce an error.
//
// The second motivation is that an HTTPS server needs to use the same TLSConfig
// on both the listener and the HTTP server. When listeners and servers are
// created at different times this becomes difficult to handle without keeping
// the TLS configuration somewhere or recreating it.
//
// This approach should ultimately be refactored to the point where we just
// start the server and any error should trigger a proper shutdown of the agent.
agent: add apiServers type for managing HTTP servers Remove Server field from HTTPServer. The field is no longer used.
2020-07-02 17:31:47 +00:00
func (a *Agent) listenHTTP() ([]apiServer, error) {
agent: move http/dns endpoints into agent Move the HTTP and DNS endpoints into the agent and control their lifespan via the agent. This removes the requirement to manage HTTP and DNS servers indpendent of the agent since the agent is mostly useless without an endpoint and the endpoints without the agent.
2017-05-19 09:53:41 +00:00
var ln []net.Listener
agent: add apiServers type for managing HTTP servers Remove Server field from HTTPServer. The field is no longer used.
2020-07-02 17:31:47 +00:00
var servers []apiServer
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
start := func(proto string, addrs []net.Addr) error {
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review
2018-10-03 19:37:53 +00:00
listeners, err := a.startListeners(addrs)
if err != nil {
return err
}
agent: add apiServers type for managing HTTP servers Remove Server field from HTTPServer. The field is no longer used.
2020-07-02 17:31:47 +00:00
ln = append(ln, listeners...)
agent: refactor DNS and HTTP server * refactor DNS server to be ready for multiple bind addresses * drop tcpKeepAliveListener since it is default for the HTTP servers * add startup timeout watcher for HTTP servers identical to DNS server
2017-05-24 13:22:56 +00:00
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review
2018-10-03 19:37:53 +00:00
for _, l := range listeners {
var tlscfg *tls.Config
_, isTCP := l.(*tcpKeepAliveListener)
if isTCP && proto == "https" {
agent: enable reloading of tls config (#5419) This PR introduces reloading tls configuration. Consul will now be able to reload the TLS configuration which previously required a restart. It is not yet possible to turn TLS ON or OFF with these changes. Only when TLS is already turned on, the configuration can be reloaded. Most importantly the certificates and CAs.
2019-03-13 09:29:06 +00:00
tlscfg = a.tlsConfigurator.IncomingHTTPSConfig()
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review
2018-10-03 19:37:53 +00:00
l = tls.NewListener(l, tlscfg)
agent: move http/dns endpoints into agent Move the HTTP and DNS endpoints into the agent and control their lifespan via the agent. This removes the requirement to manage HTTP and DNS servers indpendent of the agent since the agent is mostly useless without an endpoint and the endpoints without the agent.
2017-05-19 09:53:41 +00:00
}
Security fixes (#7182) * Mitigate HTTP/RPC Services Allow Unbounded Resource Usage Fixes #7159. Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: Paul Banks <banks@banksco.de>
2020-01-31 16:19:37 +00:00
api: rename HTTPServer to HTTPHandlers Resolves a TODO about naming. This type is a set of handlers for an http.Server, it is not itself a Server. It provides http.Handler functions.
2020-09-04 18:42:15 +00:00
srv := &HTTPHandlers{
Replace whitelist/blacklist terminology with allowlist/denylist (#7971) * Replace whitelist/blacklist terminology with allowlist/denylist
2020-05-29 18:19:16 +00:00
agent: a,
denylist: NewDenylist(a.config.HTTPBlockEndpoints),
Adds HTTP/2 support to Consul's HTTPS server. (#3657) * Refactors the HTTP listen path to create servers in the same spot. * Adds HTTP/2 support to Consul's HTTPS server. * Vendors Go HTTP/2 library and associated deps.
2017-11-07 23:06:59 +00:00
}
agent: add apiServers type for managing HTTP servers Remove Server field from HTTPServer. The field is no longer used.
2020-07-02 17:31:47 +00:00
httpServer := &http.Server{
Addr: l.Addr().String(),
TLSConfig: tlscfg,
Handler: srv.handler(a.config.EnableDebug),
}
Adds HTTP/2 support to Consul's HTTPS server. (#3657) * Refactors the HTTP listen path to create servers in the same spot. * Adds HTTP/2 support to Consul's HTTPS server. * Vendors Go HTTP/2 library and associated deps.
2017-11-07 23:06:59 +00:00
Security fixes (#7182) * Mitigate HTTP/RPC Services Allow Unbounded Resource Usage Fixes #7159. Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: Paul Banks <banks@banksco.de>
2020-01-31 16:19:37 +00:00
// Load the connlimit helper into the server
Upgrade go-connlimit to v0.3.0 / return http 429 on too many connections (#8221) Fixes #7527 I want to highlight this and explain what I think the implications are and make sure we are aware: * `HTTPConnStateFunc` closes the connection when it is beyond the limit. `Close` does not block. * `HTTPConnStateFuncWithDefault429Handler(10 * time.Millisecond)` blocks until the following is done (worst case): 1) `conn.SetDeadline(10*time.Millisecond)` so that 2) `conn.Write(429error)` is guaranteed to timeout after 10ms, so that the http 429 can be written and 3) `conn.Close` can happen The implication of this change is that accepting any new connection is worst case delayed by 10ms. But only after a client reached the limit already.
2020-07-03 07:25:07 +00:00
connLimitFn := a.httpConnLimiter.HTTPConnStateFuncWithDefault429Handler(10 * time.Millisecond)
Security fixes (#7182) * Mitigate HTTP/RPC Services Allow Unbounded Resource Usage Fixes #7159. Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: Paul Banks <banks@banksco.de>
2020-01-31 16:19:37 +00:00
Adds HTTP/2 support to Consul's HTTPS server. (#3657) * Refactors the HTTP listen path to create servers in the same spot. * Adds HTTP/2 support to Consul's HTTPS server. * Vendors Go HTTP/2 library and associated deps.
2017-11-07 23:06:59 +00:00
if proto == "https" {
agent/http: Update TestSetupHTTPServer_HTTP2 To remove the need to store the http.Server. This will allow us to remove the http.Server field from the HTTPServer struct.
2020-07-02 21:51:25 +00:00
if err := setupHTTPS(httpServer, connLimitFn, a.config.HTTPSHandshakeTimeout); err != nil {
Adds HTTP/2 support to Consul's HTTPS server. (#3657) * Refactors the HTTP listen path to create servers in the same spot. * Adds HTTP/2 support to Consul's HTTPS server. * Vendors Go HTTP/2 library and associated deps.
2017-11-07 23:06:59 +00:00
return err
}
Security fixes (#7182) * Mitigate HTTP/RPC Services Allow Unbounded Resource Usage Fixes #7159. Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: Paul Banks <banks@banksco.de>
2020-01-31 16:19:37 +00:00
} else {
agent/http: un-embed the HTTPServer The embedded HTTPServer struct is not used by the large HTTPServer struct. It is used by tests and the agent. This change is a small first step in the process of removing that field. The eventual goal is to reduce the scope of HTTPServer making it easier to test, and split into separate packages.
2020-07-02 20:47:54 +00:00
httpServer.ConnState = connLimitFn
Adds HTTP/2 support to Consul's HTTPS server. (#3657) * Refactors the HTTP listen path to create servers in the same spot. * Adds HTTP/2 support to Consul's HTTPS server. * Vendors Go HTTP/2 library and associated deps.
2017-11-07 23:06:59 +00:00
}
agent: add apiServers type for managing HTTP servers Remove Server field from HTTPServer. The field is no longer used.
2020-07-02 17:31:47 +00:00
servers = append(servers, apiServer{
Protocol: proto,
Addr: l.Addr(),
Shutdown: httpServer.Shutdown,
Run: func() error {
err := httpServer.Serve(l)
if err == nil || err == http.ErrServerClosed {
return nil
}
return fmt.Errorf("%s server %s failed: %w", proto, l.Addr(), err)
},
})
agent: move http/dns endpoints into agent Move the HTTP and DNS endpoints into the agent and control their lifespan via the agent. This removes the requirement to manage HTTP and DNS servers indpendent of the agent since the agent is mostly useless without an endpoint and the endpoints without the agent.
2017-05-19 09:53:41 +00:00
}
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
return nil
}
agent: refactor DNS and HTTP server * refactor DNS server to be ready for multiple bind addresses * drop tcpKeepAliveListener since it is default for the HTTP servers * add startup timeout watcher for HTTP servers identical to DNS server
2017-05-24 13:22:56 +00:00
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
if err := start("http", a.config.HTTPAddrs); err != nil {
agent: add apiServers type for managing HTTP servers Remove Server field from HTTPServer. The field is no longer used.
2020-07-02 17:31:47 +00:00
closeListeners(ln)
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
return nil, err
}
if err := start("https", a.config.HTTPSAddrs); err != nil {
agent: add apiServers type for managing HTTP servers Remove Server field from HTTPServer. The field is no longer used.
2020-07-02 17:31:47 +00:00
closeListeners(ln)
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
return nil, err
agent: move http/dns endpoints into agent Move the HTTP and DNS endpoints into the agent and control their lifespan via the agent. This removes the requirement to manage HTTP and DNS servers indpendent of the agent since the agent is mostly useless without an endpoint and the endpoints without the agent.
2017-05-19 09:53:41 +00:00
}
Adds HTTP/2 support to Consul's HTTPS server. (#3657) * Refactors the HTTP listen path to create servers in the same spot. * Adds HTTP/2 support to Consul's HTTPS server. * Vendors Go HTTP/2 library and associated deps.
2017-11-07 23:06:59 +00:00
return servers, nil
agent: refactor DNS and HTTP server * refactor DNS server to be ready for multiple bind addresses * drop tcpKeepAliveListener since it is default for the HTTP servers * add startup timeout watcher for HTTP servers identical to DNS server
2017-05-24 13:22:56 +00:00
}
agent: move http/dns endpoints into agent Move the HTTP and DNS endpoints into the agent and control their lifespan via the agent. This removes the requirement to manage HTTP and DNS servers indpendent of the agent since the agent is mostly useless without an endpoint and the endpoints without the agent.
2017-05-19 09:53:41 +00:00
agent: add apiServers type for managing HTTP servers Remove Server field from HTTPServer. The field is no longer used.
2020-07-02 17:31:47 +00:00
func closeListeners(lns []net.Listener) {
for _, l := range lns {
l.Close()
}
}
agent/http: Update TestSetupHTTPServer_HTTP2 To remove the need to store the http.Server. This will allow us to remove the http.Server field from the HTTPServer struct.
2020-07-02 21:51:25 +00:00
// setupHTTPS adds HTTP/2 support, ConnState, and a connection handshake timeout
// to the http.Server.
func setupHTTPS(server *http.Server, connState func(net.Conn, http.ConnState), timeout time.Duration) error {
// Enforce TLS handshake timeout
server.ConnState = func(conn net.Conn, state http.ConnState) {
switch state {
case http.StateNew:
// Set deadline to prevent slow send before TLS handshake or first
// byte of request.
conn.SetReadDeadline(time.Now().Add(timeout))
case http.StateActive:
// Clear read deadline. We should maybe set read timeouts more
// generally but that's a bigger task as some HTTP endpoints may
// stream large requests and responses (e.g. snapshot) so we can't
// set sensible blanket timeouts here.
conn.SetReadDeadline(time.Time{})
}
// Pass through to conn limit. This is OK because we didn't change
// state (i.e. Close conn).
connState(conn, state)
}
// This will enable upgrading connections to HTTP/2 as
// part of TLS negotiation.
return http2.ConfigureServer(server, nil)
}
Address review comments
2017-05-30 23:05:21 +00:00
// tcpKeepAliveListener sets TCP keep-alive timeouts on accepted
Adds HTTP/2 support to Consul's HTTPS server. (#3657) * Refactors the HTTP listen path to create servers in the same spot. * Adds HTTP/2 support to Consul's HTTPS server. * Vendors Go HTTP/2 library and associated deps.
2017-11-07 23:06:59 +00:00
// connections. It's used so dead TCP connections eventually go away.
Address review comments
2017-05-30 23:05:21 +00:00
type tcpKeepAliveListener struct {
*net.TCPListener
}
func (ln tcpKeepAliveListener) Accept() (c net.Conn, err error) {
tc, err := ln.AcceptTCP()
if err != nil {
return
}
tc.SetKeepAlive(true)
tc.SetKeepAlivePeriod(30 * time.Second)
return tc, nil
}
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
func (a *Agent) listenSocket(path string) (net.Listener, error) {
agent: refactor DNS and HTTP server * refactor DNS server to be ready for multiple bind addresses * drop tcpKeepAliveListener since it is default for the HTTP servers * add startup timeout watcher for HTTP servers identical to DNS server
2017-05-24 13:22:56 +00:00
if _, err := os.Stat(path); !os.IsNotExist(err) {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Warn("Replacing socket", "path", path)
agent: refactor DNS and HTTP server * refactor DNS server to be ready for multiple bind addresses * drop tcpKeepAliveListener since it is default for the HTTP servers * add startup timeout watcher for HTTP servers identical to DNS server
2017-05-24 13:22:56 +00:00
}
if err := os.Remove(path); err != nil && !os.IsNotExist(err) {
return nil, fmt.Errorf("error removing socket file: %s", err)
}
l, err := net.Listen("unix", path)
if err != nil {
return nil, err
}
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
user, group, mode := a.config.UnixSocketUser, a.config.UnixSocketGroup, a.config.UnixSocketMode
if err := setFilePermissions(path, user, group, mode); err != nil {
return nil, fmt.Errorf("Failed setting up socket: %s", err)
agent: refactor DNS and HTTP server * refactor DNS server to be ready for multiple bind addresses * drop tcpKeepAliveListener since it is default for the HTTP servers * add startup timeout watcher for HTTP servers identical to DNS server
2017-05-24 13:22:56 +00:00
}
return l, nil
}
Stop all watches before shuting down anything dring shutdown. (#7526) This will prevent watches from being triggered. ```changelog * fix(agent): stop all watches before shuting down ```
2020-05-26 08:01:49 +00:00
// stopAllWatches stops all the currently running watches
func (a *Agent) stopAllWatches() {
for _, wp := range a.watchPlans {
wp.Stop()
}
}
Fixes watch tracking during reloads and fixes address issue. (#3189) This patch fixes watch registration through the config file and a broken log line when the watch registration fails. It also plumbs all the watch loading through a common function and tweaks the unit test to create the watch before the reload.
2017-06-24 19:52:41 +00:00
// reloadWatches stops any existing watch plans and attempts to load the given
// set of watches.
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
func (a *Agent) reloadWatches(cfg *config.RuntimeConfig) error {
Fix watch error when http & https are disabled (#3493) Remove an error in watch reloading that happens when http and https are both disabled, and use an https address for running watches if no http addresses are present. Fixes #3425.
2017-09-26 20:47:27 +00:00
// Stop the current watches.
Stop all watches before shuting down anything dring shutdown. (#7526) This will prevent watches from being triggered. ```changelog * fix(agent): stop all watches before shuting down ```
2020-05-26 08:01:49 +00:00
a.stopAllWatches()
Fix watch error when http & https are disabled (#3493) Remove an error in watch reloading that happens when http and https are both disabled, and use an https address for running watches if no http addresses are present. Fixes #3425.
2017-09-26 20:47:27 +00:00
a.watchPlans = nil
// Return if there are no watches now.
if len(cfg.Watches) == 0 {
return nil
}
Fixes watch tracking during reloads and fixes address issue. (#3189) This patch fixes watch registration through the config file and a broken log line when the watch registration fails. It also plumbs all the watch loading through a common function and tweaks the unit test to create the watch before the reload.
2017-06-24 19:52:41 +00:00
// Watches use the API to talk to this agent, so that must be enabled.
Fix watch error when http & https are disabled (#3493) Remove an error in watch reloading that happens when http and https are both disabled, and use an https address for running watches if no http addresses are present. Fixes #3425.
2017-09-26 20:47:27 +00:00
if len(cfg.HTTPAddrs) == 0 && len(cfg.HTTPSAddrs) == 0 {
agent: move watch plans into agent
2017-06-09 08:03:49 +00:00
return fmt.Errorf("watch plans require an HTTP or HTTPS endpoint")
}
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
// Compile the watches
var watchPlans []*watch.Plan
for _, params := range cfg.Watches {
Implement HTTP Watch handler (#3413) Implement HTTP Watch handler
2017-10-22 01:39:09 +00:00
if handlerType, ok := params["handler_type"]; !ok {
params["handler_type"] = "script"
} else if handlerType != "http" && handlerType != "script" {
return fmt.Errorf("Handler type '%s' not recognized", params["handler_type"])
}
Don't allow connect watches in agent/cli yet
2018-04-26 17:06:26 +00:00
// Don't let people use connect watches via this mechanism for now as it
// needs thought about how to do securely and shouldn't be necessary. Note
// that if the type assertion fails an type is not a string then
// ParseExample below will error so we don't need to handle that case.
if typ, ok := params["type"].(string); ok {
if strings.HasPrefix(typ, "connect_") {
return fmt.Errorf("Watch type %s is not allowed in agent config", typ)
}
}
watch: extract makeWatchPlan to facilitate testing There is a bug in here now that slices in opaque config are unsliced. But to test that bug fix we need a function that can be easily tested.
2020-07-10 17:33:45 +00:00
wp, err := makeWatchPlan(a.logger, params)
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
if err != nil {
watch: extract makeWatchPlan to facilitate testing There is a bug in here now that slices in opaque config are unsliced. But to test that bug fix we need a function that can be easily tested.
2020-07-10 17:33:45 +00:00
return err
Clean up subprocess handling and make shell use optional (#3509) * Clean up handling of subprocesses and make using a shell optional * Update docs for subprocess changes * Fix tests for new subprocess behavior * More cleanup of subprocesses * Minor adjustments and cleanup for subprocess logic * Makes the watch handler reload test use the new path. * Adds check tests for new args path, and updates existing tests to use new path. * Adds support for script args in Docker checks. * Fixes the sanitize unit test. * Adds panic for unknown watch type, and reverts back to Run(). * Adds shell option back to consul lock command. * Adds shell option back to consul exec command. * Adds shell back into consul watch command. * Refactors signal forwarding and makes Windows-friendly. * Adds a clarifying comment. * Changes error wording to a warning. * Scopes signals to interrupt and kill. This avoids us trying to send SIGCHILD to the dead process. * Adds an error for shell=false for consul exec. * Adds notes about the deprecated script and handler fields. * De-nests an if statement.
2017-10-04 23:48:00 +00:00
}
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
watchPlans = append(watchPlans, wp)
}
Fixes watch tracking during reloads and fixes address issue. (#3189) This patch fixes watch registration through the config file and a broken log line when the watch registration fails. It also plumbs all the watch loading through a common function and tweaks the unit test to create the watch before the reload.
2017-06-24 19:52:41 +00:00
// Fire off a goroutine for each new watch plan.
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
for _, wp := range watchPlans {
Fix issue with choosing a client addr that is 0.0.0.0 or ::
2018-07-16 20:30:15 +00:00
config, err := a.config.APIConfig(true)
if err != nil {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Error("Failed to run watch", "error", err)
Fix issue with choosing a client addr that is 0.0.0.0 or ::
2018-07-16 20:30:15 +00:00
continue
}
Fixes watch tracking during reloads and fixes address issue. (#3189) This patch fixes watch registration through the config file and a broken log line when the watch registration fails. It also plumbs all the watch loading through a common function and tweaks the unit test to create the watch before the reload.
2017-06-24 19:52:41 +00:00
a.watchPlans = append(a.watchPlans, wp)
agent: move watch plans into agent
2017-06-09 08:03:49 +00:00
go func(wp *watch.Plan) {
Clean up subprocess handling and make shell use optional (#3509) * Clean up handling of subprocesses and make using a shell optional * Update docs for subprocess changes * Fix tests for new subprocess behavior * More cleanup of subprocesses * Minor adjustments and cleanup for subprocess logic * Makes the watch handler reload test use the new path. * Adds check tests for new args path, and updates existing tests to use new path. * Adds support for script args in Docker checks. * Fixes the sanitize unit test. * Adds panic for unknown watch type, and reverts back to Run(). * Adds shell option back to consul lock command. * Adds shell option back to consul exec command. * Adds shell back into consul watch command. * Refactors signal forwarding and makes Windows-friendly. * Adds a clarifying comment. * Changes error wording to a warning. * Scopes signals to interrupt and kill. This avoids us trying to send SIGCHILD to the dead process. * Adds an error for shell=false for consul exec. * Adds notes about the deprecated script and handler fields. * De-nests an if statement.
2017-10-04 23:48:00 +00:00
if h, ok := wp.Exempt["handler"]; ok {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
wp.Handler = makeWatchHandler(a.logger, h)
Implement HTTP Watch handler (#3413) Implement HTTP Watch handler
2017-10-22 01:39:09 +00:00
} else if h, ok := wp.Exempt["args"]; ok {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
wp.Handler = makeWatchHandler(a.logger, h)
Clean up subprocess handling and make shell use optional (#3509) * Clean up handling of subprocesses and make using a shell optional * Update docs for subprocess changes * Fix tests for new subprocess behavior * More cleanup of subprocesses * Minor adjustments and cleanup for subprocess logic * Makes the watch handler reload test use the new path. * Adds check tests for new args path, and updates existing tests to use new path. * Adds support for script args in Docker checks. * Fixes the sanitize unit test. * Adds panic for unknown watch type, and reverts back to Run(). * Adds shell option back to consul lock command. * Adds shell option back to consul exec command. * Adds shell back into consul watch command. * Refactors signal forwarding and makes Windows-friendly. * Adds a clarifying comment. * Changes error wording to a warning. * Scopes signals to interrupt and kill. This avoids us trying to send SIGCHILD to the dead process. * Adds an error for shell=false for consul exec. * Adds notes about the deprecated script and handler fields. * De-nests an if statement.
2017-10-04 23:48:00 +00:00
} else {
Implement HTTP Watch handler (#3413) Implement HTTP Watch handler
2017-10-22 01:39:09 +00:00
httpConfig := wp.Exempt["http_handler_config"].(*watch.HttpHandlerConfig)
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
wp.Handler = makeHTTPWatchHandler(a.logger, httpConfig)
Clean up subprocess handling and make shell use optional (#3509) * Clean up handling of subprocesses and make using a shell optional * Update docs for subprocess changes * Fix tests for new subprocess behavior * More cleanup of subprocesses * Minor adjustments and cleanup for subprocess logic * Makes the watch handler reload test use the new path. * Adds check tests for new args path, and updates existing tests to use new path. * Adds support for script args in Docker checks. * Fixes the sanitize unit test. * Adds panic for unknown watch type, and reverts back to Run(). * Adds shell option back to consul lock command. * Adds shell option back to consul exec command. * Adds shell back into consul watch command. * Refactors signal forwarding and makes Windows-friendly. * Adds a clarifying comment. * Changes error wording to a warning. * Scopes signals to interrupt and kill. This avoids us trying to send SIGCHILD to the dead process. * Adds an error for shell=false for consul exec. * Adds notes about the deprecated script and handler fields. * De-nests an if statement.
2017-10-04 23:48:00 +00:00
}
api: Use a Logger instead of an io.Writer in api.Watch So that we can pass around only a Logger, not a LogOutput
2020-07-29 18:33:36 +00:00
wp.Logger = a.logger.Named("watch")
Allow passing in a config to the watch plan to use when creating the API client This allows watches from consul agent config (rather than consul watch command) to be able to utilize HTTPs
2018-05-31 21:07:36 +00:00
Fix issue with choosing a client addr that is 0.0.0.0 or ::
2018-07-16 20:30:15 +00:00
addr := config.Address
if config.Scheme == "https" {
addr = "https://" + addr
Allow passing in a config to the watch plan to use when creating the API client This allows watches from consul agent config (rather than consul watch command) to be able to utilize HTTPs
2018-05-31 21:07:36 +00:00
}
Add RunWithConfig and put Run signature back to normal
2018-06-01 00:22:14 +00:00
if err := wp.RunWithConfig(addr, config); err != nil {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Error("Failed to run watch", "error", err)
agent: move watch plans into agent
2017-06-09 08:03:49 +00:00
}
}(wp)
}
return nil
}
agent: unmethod consulConfig To allow us to move newConsulConfig out of Agent.
2020-07-29 17:49:52 +00:00
// newConsulConfig translates a RuntimeConfig into a consul.Config.
agent: Move setupKeyring functions to keyring.go There are a couple reasons for this change: 1. agent.go is way too big. Smaller files makes code eaasier to read because tools that show usage also include filename which can give a lot more context to someone trying to understand which functions call other functions. 2. these two functions call into a large number of functions already in keyring.go.
2020-08-11 00:20:06 +00:00
// TODO: move this function to a different file, maybe config.go
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
func newConsulConfig(runtimeCfg *config.RuntimeConfig, logger hclog.Logger) (*consul.Config, error) {
cfg := consul.DefaultConfig()
agent: clone partial consul config The agent configuration for the consul server is a partial configuration which needs to be cloned to avoid data races. This is a stop-gap measure before moving the configuration into a separate package.
2017-06-30 09:09:52 +00:00
Adds basic support for node IDs.
2017-01-18 06:20:11 +00:00
// This is set when the agent starts up
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
cfg.NodeID = runtimeCfg.NodeID
Adds basic support for node IDs.
2017-01-18 06:20:11 +00:00
consul: dev mode works
2015-11-29 04:40:05 +00:00
// Apply dev mode
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
cfg.DevMode = runtimeCfg.DevMode
consul: dev mode works
2015-11-29 04:40:05 +00:00
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
// Override with our runtimeCfg
// todo(fs): these are now always set in the runtime runtimeCfg so we can simplify this
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
// todo(fs): or is there a reason to keep it like that?
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
cfg.Datacenter = runtimeCfg.Datacenter
cfg.PrimaryDatacenter = runtimeCfg.PrimaryDatacenter
cfg.DataDir = runtimeCfg.DataDir
cfg.NodeName = runtimeCfg.NodeName
cfg.CoordinateUpdateBatchSize = runtimeCfg.ConsulCoordinateUpdateBatchSize
cfg.CoordinateUpdateMaxBatches = runtimeCfg.ConsulCoordinateUpdateMaxBatches
cfg.CoordinateUpdatePeriod = runtimeCfg.ConsulCoordinateUpdatePeriod
cfg.CheckOutputMaxSize = runtimeCfg.CheckOutputMaxSize
cfg.RaftConfig.HeartbeatTimeout = runtimeCfg.ConsulRaftHeartbeatTimeout
cfg.RaftConfig.LeaderLeaseTimeout = runtimeCfg.ConsulRaftLeaderLeaseTimeout
cfg.RaftConfig.ElectionTimeout = runtimeCfg.ConsulRaftElectionTimeout
cfg.SerfLANConfig.MemberlistConfig.BindAddr = runtimeCfg.SerfBindAddrLAN.IP.String()
cfg.SerfLANConfig.MemberlistConfig.BindPort = runtimeCfg.SerfBindAddrLAN.Port
cfg.SerfLANConfig.MemberlistConfig.CIDRsAllowed = runtimeCfg.SerfAllowedCIDRsLAN
cfg.SerfWANConfig.MemberlistConfig.CIDRsAllowed = runtimeCfg.SerfAllowedCIDRsWAN
cfg.SerfLANConfig.MemberlistConfig.AdvertiseAddr = runtimeCfg.SerfAdvertiseAddrLAN.IP.String()
cfg.SerfLANConfig.MemberlistConfig.AdvertisePort = runtimeCfg.SerfAdvertiseAddrLAN.Port
cfg.SerfLANConfig.MemberlistConfig.GossipVerifyIncoming = runtimeCfg.EncryptVerifyIncoming
cfg.SerfLANConfig.MemberlistConfig.GossipVerifyOutgoing = runtimeCfg.EncryptVerifyOutgoing
cfg.SerfLANConfig.MemberlistConfig.GossipInterval = runtimeCfg.GossipLANGossipInterval
cfg.SerfLANConfig.MemberlistConfig.GossipNodes = runtimeCfg.GossipLANGossipNodes
cfg.SerfLANConfig.MemberlistConfig.ProbeInterval = runtimeCfg.GossipLANProbeInterval
cfg.SerfLANConfig.MemberlistConfig.ProbeTimeout = runtimeCfg.GossipLANProbeTimeout
cfg.SerfLANConfig.MemberlistConfig.SuspicionMult = runtimeCfg.GossipLANSuspicionMult
cfg.SerfLANConfig.MemberlistConfig.RetransmitMult = runtimeCfg.GossipLANRetransmitMult
if runtimeCfg.ReconnectTimeoutLAN != 0 {
cfg.SerfLANConfig.ReconnectTimeout = runtimeCfg.ReconnectTimeoutLAN
}
if runtimeCfg.SerfBindAddrWAN != nil {
cfg.SerfWANConfig.MemberlistConfig.BindAddr = runtimeCfg.SerfBindAddrWAN.IP.String()
cfg.SerfWANConfig.MemberlistConfig.BindPort = runtimeCfg.SerfBindAddrWAN.Port
cfg.SerfWANConfig.MemberlistConfig.AdvertiseAddr = runtimeCfg.SerfAdvertiseAddrWAN.IP.String()
cfg.SerfWANConfig.MemberlistConfig.AdvertisePort = runtimeCfg.SerfAdvertiseAddrWAN.Port
cfg.SerfWANConfig.MemberlistConfig.GossipVerifyIncoming = runtimeCfg.EncryptVerifyIncoming
cfg.SerfWANConfig.MemberlistConfig.GossipVerifyOutgoing = runtimeCfg.EncryptVerifyOutgoing
cfg.SerfWANConfig.MemberlistConfig.GossipInterval = runtimeCfg.GossipWANGossipInterval
cfg.SerfWANConfig.MemberlistConfig.GossipNodes = runtimeCfg.GossipWANGossipNodes
cfg.SerfWANConfig.MemberlistConfig.ProbeInterval = runtimeCfg.GossipWANProbeInterval
cfg.SerfWANConfig.MemberlistConfig.ProbeTimeout = runtimeCfg.GossipWANProbeTimeout
cfg.SerfWANConfig.MemberlistConfig.SuspicionMult = runtimeCfg.GossipWANSuspicionMult
cfg.SerfWANConfig.MemberlistConfig.RetransmitMult = runtimeCfg.GossipWANRetransmitMult
if runtimeCfg.ReconnectTimeoutWAN != 0 {
cfg.SerfWANConfig.ReconnectTimeout = runtimeCfg.ReconnectTimeoutWAN
Fix #4515: Segfault when serf_wan port was -1 but reconnect_time_wan was set (#4531) Fixes #4515 This just slightly refactors the logic to only attempt to set the serf wan reconnect timeout when the rest of the serf wan settings are configured - thus avoiding a segfault.
2018-08-17 18:44:25 +00:00
}
Allows disabling WAN federation by setting serf WAN port to -1
2018-03-26 19:21:06 +00:00
} else {
// Disable serf WAN federation
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
cfg.SerfWANConfig = nil
Allows disabling WAN federation by setting serf WAN port to -1
2018-03-26 19:21:06 +00:00
}
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
cfg.RPCAddr = runtimeCfg.RPCBindAddr
cfg.RPCAdvertise = runtimeCfg.RPCAdvertiseAddr
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
cfg.Segment = runtimeCfg.SegmentName
if len(runtimeCfg.Segments) > 0 {
segments, err := segmentConfig(runtimeCfg)
Add rpc_listener option to segment config
2017-08-29 00:58:22 +00:00
if err != nil {
return nil, err
Adds open source side of network segments (feature is Enterprise-only).
2017-08-14 14:36:07 +00:00
}
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
cfg.Segments = segments
Adds open source side of network segments (feature is Enterprise-only).
2017-08-14 14:36:07 +00:00
}
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
if runtimeCfg.Bootstrap {
cfg.Bootstrap = true
Adding a bootstrap flag to allow single server raft
2013-12-25 00:48:07 +00:00
}
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
if runtimeCfg.CheckOutputMaxSize > 0 {
cfg.CheckOutputMaxSize = runtimeCfg.CheckOutputMaxSize
Support for maximum size for Output of checks (#5233) * Support for maximum size for Output of checks This PR allows users to limit the size of output produced by checks at the agent and check level. When set at the agent level, it will limit the output for all checks monitored by the agent. When set at the check level, it can override the agent max for a specific check but only if it is lower than the agent max. Default value is 4k, and input must be at least 1.
2019-06-26 15:43:25 +00:00
}
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
if runtimeCfg.RejoinAfterLeave {
cfg.RejoinAfterLeave = true
agent: Fixing missing copy of RejoinAfterLeave flag. #110
2014-06-18 17:32:19 +00:00
}
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
if runtimeCfg.BootstrapExpect != 0 {
cfg.BootstrapExpect = runtimeCfg.BootstrapExpect
Add expect bootstrap '-expect=n' mode. This allows for us to automatically bootstrap a cluster of nodes after 'n' number of server nodes join. All servers must have the same 'n' set, or they will fail to join the cluster; all servers will not join the peer set until they hit 'n' server nodes. If the raft commit index is not empty, '-expect=n' does nothing because it thinks you've already bootstrapped. Signed-off-by: Robert Xu <robxu9@gmail.com>
2014-06-16 21:36:12 +00:00
}
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
if runtimeCfg.RPCProtocol > 0 {
cfg.ProtocolVersion = uint8(runtimeCfg.RPCProtocol)
agent: Support protocol version setting
2014-03-09 22:57:03 +00:00
}
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
if runtimeCfg.RaftProtocol != 0 {
cfg.RaftConfig.ProtocolVersion = raft.ProtocolVersion(runtimeCfg.RaftProtocol)
Add state store table and endpoints for autopilot
2017-02-24 04:32:13 +00:00
}
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
if runtimeCfg.RaftSnapshotThreshold != 0 {
cfg.RaftConfig.SnapshotThreshold = uint64(runtimeCfg.RaftSnapshotThreshold)
Make raft snapshot commit threshold configurable
2018-05-10 15:16:38 +00:00
}
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
if runtimeCfg.RaftSnapshotInterval != 0 {
cfg.RaftConfig.SnapshotInterval = runtimeCfg.RaftSnapshotInterval
Also make snapshot interval configurable
2018-05-10 22:06:47 +00:00
}
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
if runtimeCfg.RaftTrailingLogs != 0 {
cfg.RaftConfig.TrailingLogs = uint64(runtimeCfg.RaftTrailingLogs)
Allow raft TrailingLogs to be configured. (#6186) This fixes pathological cases where the write throughput and snapshot size are both so large that more than 10k log entries are written in the time it takes to restore the snapshot from disk. In this case followers that restart can never catch up with leader replication again and enter a loop of constantly downloading a full snapshot and restoring it only to find that snapshot is already out of date and the leader has truncated its logs so a new snapshot is sent etc. In general if you need to adjust this, you are probably abusing Consul for purposes outside its design envelope and should reconsider your usage to reduce data size and/or write volume.
2019-07-23 14:19:57 +00:00
}
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
if runtimeCfg.ACLMasterToken != "" {
cfg.ACLMasterToken = runtimeCfg.ACLMasterToken
agent: Adding ACL master token
2014-08-05 22:36:08 +00:00
}
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
if runtimeCfg.ACLDatacenter != "" {
cfg.ACLDatacenter = runtimeCfg.ACLDatacenter
consul: ACL setting passthrough
2014-08-05 22:20:35 +00:00
}
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
if runtimeCfg.ACLTokenTTL != 0 {
cfg.ACLTokenTTL = runtimeCfg.ACLTokenTTL
New ACLs (#4791) This PR is almost a complete rewrite of the ACL system within Consul. It brings the features more in line with other HashiCorp products. Obviously there is quite a bit left to do here but most of it is related docs, testing and finishing the last few commands in the CLI. I will update the PR description and check off the todos as I finish them over the next few days/week. Description At a high level this PR is mainly to split ACL tokens from Policies and to split the concepts of Authorization from Identities. A lot of this PR is mostly just to support CRUD operations on ACLTokens and ACLPolicies. These in and of themselves are not particularly interesting. The bigger conceptual changes are in how tokens get resolved, how backwards compatibility is handled and the separation of policy from identity which could lead the way to allowing for alternative identity providers. On the surface and with a new cluster the ACL system will look very similar to that of Nomads. Both have tokens and policies. Both have local tokens. The ACL management APIs for both are very similar. I even ripped off Nomad's ACL bootstrap resetting procedure. There are a few key differences though. Nomad requires token and policy replication where Consul only requires policy replication with token replication being opt-in. In Consul local tokens only work with token replication being enabled though. All policies in Nomad are globally applicable. In Consul all policies are stored and replicated globally but can be scoped to a subset of the datacenters. This allows for more granular access management. Unlike Nomad, Consul has legacy baggage in the form of the original ACL system. The ramifications of this are: A server running the new system must still support other clients using the legacy system. A client running the new system must be able to use the legacy RPCs when the servers in its datacenter are running the legacy system. The primary ACL DC's servers running in legacy mode needs to be a gate that keeps everything else in the entire multi-DC cluster running in legacy mode. So not only does this PR implement the new ACL system but has a legacy mode built in for when the cluster isn't ready for new ACLs. Also detecting that new ACLs can be used is automatic and requires no configuration on the part of administrators. This process is detailed more in the "Transitioning from Legacy to New ACL Mode" section below.
2018-10-19 16:04:07 +00:00
}
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
if runtimeCfg.ACLPolicyTTL != 0 {
cfg.ACLPolicyTTL = runtimeCfg.ACLPolicyTTL
consul: ACL setting passthrough
2014-08-05 22:20:35 +00:00
}
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
if runtimeCfg.ACLRoleTTL != 0 {
cfg.ACLRoleTTL = runtimeCfg.ACLRoleTTL
acl: adding Roles to Tokens (#5514) Roles are named and can express the same bundle of permissions that can currently be assigned to a Token (lists of Policies and Service Identities). The difference with a Role is that it not itself a bearer token, but just another entity that can be tied to a Token. This lets an operator potentially curate a set of smaller reusable Policies and compose them together into reusable Roles, rather than always exploding that same list of Policies on any Token that needs similar permissions. This also refactors the acl replication code to be semi-generic to avoid 3x copypasta.
2019-04-15 20:43:19 +00:00
}
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
if runtimeCfg.ACLDefaultPolicy != "" {
cfg.ACLDefaultPolicy = runtimeCfg.ACLDefaultPolicy
consul: ACL setting passthrough
2014-08-05 22:20:35 +00:00
}
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
if runtimeCfg.ACLDownPolicy != "" {
cfg.ACLDownPolicy = runtimeCfg.ACLDownPolicy
consul: ACL setting passthrough
2014-08-05 22:20:35 +00:00
}
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
cfg.ACLTokenReplication = runtimeCfg.ACLTokenReplication
cfg.ACLsEnabled = runtimeCfg.ACLsEnabled
if runtimeCfg.ACLEnableKeyListPolicy {
cfg.ACLEnableKeyListPolicy = runtimeCfg.ACLEnableKeyListPolicy
Introduces new 'list' permission that applies to KV store recursive reads, and enforced only when opted in.
2017-10-02 22:10:21 +00:00
}
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
if runtimeCfg.SessionTTLMin != 0 {
cfg.SessionTTLMin = runtimeCfg.SessionTTLMin
Support SesionTTLMin configuration - Allow setting SessionTTLMin - Validate on the Server
2015-03-27 05:30:04 +00:00
}
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
if runtimeCfg.NonVotingServer {
cfg.NonVoter = runtimeCfg.NonVotingServer
Add advanced autopilot features
2017-03-21 23:36:44 +00:00
}
Copies the autopilot settings from the runtime config. Fixes #3730
2017-12-13 18:31:45 +00:00
// These are fully specified in the agent defaults, so we can simply
// copy them over.
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
cfg.AutopilotConfig.CleanupDeadServers = runtimeCfg.AutopilotCleanupDeadServers
cfg.AutopilotConfig.LastContactThreshold = runtimeCfg.AutopilotLastContactThreshold
cfg.AutopilotConfig.MaxTrailingLogs = uint64(runtimeCfg.AutopilotMaxTrailingLogs)
cfg.AutopilotConfig.MinQuorum = runtimeCfg.AutopilotMinQuorum
cfg.AutopilotConfig.ServerStabilizationTime = runtimeCfg.AutopilotServerStabilizationTime
cfg.AutopilotConfig.RedundancyZoneTag = runtimeCfg.AutopilotRedundancyZoneTag
cfg.AutopilotConfig.DisableUpgradeMigration = runtimeCfg.AutopilotDisableUpgradeMigration
cfg.AutopilotConfig.UpgradeVersionTag = runtimeCfg.AutopilotUpgradeVersionTag
Filling in Agent basics
2013-12-20 23:33:13 +00:00
Do not modify config after creation Make sure the RPCAdvertise address is always set so that the configuration does not have to be modified after creation.
2017-05-03 20:59:06 +00:00
// make sure the advertise address is always set
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
if cfg.RPCAdvertise == nil {
cfg.RPCAdvertise = cfg.RPCAddr
Do not modify config after creation Make sure the RPCAdvertise address is always set so that the configuration does not have to be modified after creation.
2017-05-03 20:59:06 +00:00
}
Adds simple rate limiting for client agent RPC calls to Consul servers. (#3440) * Added rate limiting for agent RPC calls. * Initializes the rate limiter based on the config. * Adds the rate limiter into the snapshot RPC path. * Adds unit tests for the RPC rate limiter. * Groups the RPC limit parameters under "limits" in the config. * Adds some documentation about the RPC limiter. * Sends a 429 response when the rate limiter kicks in. * Adds docs for new telemetry. * Makes snapshot telemetry look like RPC telemetry and cleans up comments.
2017-09-01 22:02:50 +00:00
// Rate limiting for RPC calls.
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
if runtimeCfg.RPCRateLimit > 0 {
cfg.RPCRate = runtimeCfg.RPCRateLimit
Adds simple rate limiting for client agent RPC calls to Consul servers. (#3440) * Added rate limiting for agent RPC calls. * Initializes the rate limiter based on the config. * Adds the rate limiter into the snapshot RPC path. * Adds unit tests for the RPC rate limiter. * Groups the RPC limit parameters under "limits" in the config. * Adds some documentation about the RPC limiter. * Sends a 429 response when the rate limiter kicks in. * Adds docs for new telemetry. * Makes snapshot telemetry look like RPC telemetry and cleans up comments.
2017-09-01 22:02:50 +00:00
}
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
if runtimeCfg.RPCMaxBurst > 0 {
cfg.RPCMaxBurst = runtimeCfg.RPCMaxBurst
Adds simple rate limiting for client agent RPC calls to Consul servers. (#3440) * Added rate limiting for agent RPC calls. * Initializes the rate limiter based on the config. * Adds the rate limiter into the snapshot RPC path. * Adds unit tests for the RPC rate limiter. * Groups the RPC limit parameters under "limits" in the config. * Adds some documentation about the RPC limiter. * Sends a 429 response when the rate limiter kicks in. * Adds docs for new telemetry. * Makes snapshot telemetry look like RPC telemetry and cleans up comments.
2017-09-01 22:02:50 +00:00
}
Security fixes (#7182) * Mitigate HTTP/RPC Services Allow Unbounded Resource Usage Fixes #7159. Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: Paul Banks <banks@banksco.de>
2020-01-31 16:19:37 +00:00
// RPC timeouts/limits.
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
if runtimeCfg.RPCHandshakeTimeout > 0 {
cfg.RPCHandshakeTimeout = runtimeCfg.RPCHandshakeTimeout
Makes RPC handling more robust when rolling servers. (#3561) * Adds client-side retry for no leader errors. This paves over the case where the client was connected to the leader when it loses leadership. * Adds a configurable server RPC drain time and a fail-fast path for RPCs. When a server leaves it gets removed from the Raft configuration, so it will never know who the new leader server ends up being. Without this we'd be doomed to wait out the RPC hold timeout and then fail. This makes things fail a little quicker while a sever is draining, and since we added a client retry AND since the server doing this has already shut down and left the Serf LAN, clients should retry against some other server. * Makes the RPC hold timeout configurable. * Reorders struct members. * Sets the RPC hold timeout default for test servers. * Bumps the leave drain time up to 5 seconds. * Robustifies retries with a simpler client-side RPC hold. * Reverts untended delete.
2017-10-10 22:19:50 +00:00
}
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
if runtimeCfg.RPCMaxConnsPerClient > 0 {
cfg.RPCMaxConnsPerClient = runtimeCfg.RPCMaxConnsPerClient
Security fixes (#7182) * Mitigate HTTP/RPC Services Allow Unbounded Resource Usage Fixes #7159. Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: Paul Banks <banks@banksco.de>
2020-01-31 16:19:37 +00:00
}
// RPC-related performance configs. We allow explicit zero value to disable so
// copy it whatever the value.
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
cfg.RPCHoldTimeout = runtimeCfg.RPCHoldTimeout
Security fixes (#7182) * Mitigate HTTP/RPC Services Allow Unbounded Resource Usage Fixes #7159. Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: Paul Banks <banks@banksco.de>
2020-01-31 16:19:37 +00:00
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
if runtimeCfg.LeaveDrainTime > 0 {
cfg.LeaveDrainTime = runtimeCfg.LeaveDrainTime
Makes RPC handling more robust when rolling servers. (#3561) * Adds client-side retry for no leader errors. This paves over the case where the client was connected to the leader when it loses leadership. * Adds a configurable server RPC drain time and a fail-fast path for RPCs. When a server leaves it gets removed from the Raft configuration, so it will never know who the new leader server ends up being. Without this we'd be doomed to wait out the RPC hold timeout and then fail. This makes things fail a little quicker while a sever is draining, and since we added a client retry AND since the server doing this has already shut down and left the Serf LAN, clients should retry against some other server. * Makes the RPC hold timeout configurable. * Reorders struct members. * Sets the RPC hold timeout default for test servers. * Bumps the leave drain time up to 5 seconds. * Robustifies retries with a simpler client-side RPC hold. * Reverts untended delete.
2017-10-10 22:19:50 +00:00
}
Use bind address as source for outgoing connections (#2822) This patch configures consul to use the bind address as the source address for outgoing connections. Fixes #2822
2017-05-03 10:57:11 +00:00
// set the src address for outgoing rpc connections
agent: use bind address as src unless INADDR_ANY Use the bind address as source address for outgoing RPC connections unless it is INADDR_ANY. The current code uses the advertise address which will not work in certain environments where the advertise address is not routable in the network of the agent, e.g. NAT environment, container... After all, that is the purpose of the advertise address. See #2822
2017-05-10 07:30:19 +00:00
// Use port 0 so that outgoing connections use a random port.
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
if !ipaddr.IsAny(cfg.RPCAddr.IP) {
cfg.RPCSrcAddr = &net.TCPAddr{IP: cfg.RPCAddr.IP}
agent: use bind address as src unless INADDR_ANY Use the bind address as source address for outgoing RPC connections unless it is INADDR_ANY. The current code uses the advertise address which will not work in certain environments where the advertise address is not routable in the network of the agent, e.g. NAT environment, container... After all, that is the purpose of the advertise address. See #2822
2017-05-10 07:30:19 +00:00
}
Use bind address as source for outgoing connections (#2822) This patch configures consul to use the bind address as the source address for outgoing connections. Fixes #2822
2017-05-03 10:57:11 +00:00
consul: Gossip the build using Serf
2014-06-06 22:36:40 +00:00
// Format the build string
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
revision := runtimeCfg.Revision
consul: Gossip the build using Serf
2014-06-06 22:36:40 +00:00
if len(revision) > 8 {
revision = revision[:8]
}
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
cfg.Build = fmt.Sprintf("%s%s:%s", runtimeCfg.Version, runtimeCfg.VersionPrerelease, revision)
consul: Gossip the build using Serf
2014-06-06 22:36:40 +00:00
agent: Passthrough of TLS configurations
2014-04-04 23:52:39 +00:00
// Copy the TLS configuration
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
cfg.VerifyIncoming = runtimeCfg.VerifyIncoming || runtimeCfg.VerifyIncomingRPC
if runtimeCfg.CAPath != "" || runtimeCfg.CAFile != "" {
cfg.UseTLS = true
}
cfg.VerifyOutgoing = runtimeCfg.VerifyOutgoing
cfg.VerifyServerHostname = runtimeCfg.VerifyServerHostname
cfg.CAFile = runtimeCfg.CAFile
cfg.CAPath = runtimeCfg.CAPath
cfg.CertFile = runtimeCfg.CertFile
cfg.KeyFile = runtimeCfg.KeyFile
cfg.ServerName = runtimeCfg.ServerName
cfg.Domain = runtimeCfg.DNSDomain
cfg.TLSMinVersion = runtimeCfg.TLSMinVersion
cfg.TLSCipherSuites = runtimeCfg.TLSCipherSuites
cfg.TLSPreferServerCipherSuites = runtimeCfg.TLSPreferServerCipherSuites
cfg.DefaultQueryTime = runtimeCfg.DefaultQueryTime
cfg.MaxQueryTime = runtimeCfg.MaxQueryTime
cfg.AutoEncryptAllowTLS = runtimeCfg.AutoEncryptAllowTLS
// Copy the Connect CA bootstrap runtimeCfg
if runtimeCfg.ConnectEnabled {
cfg.ConnectEnabled = true
cfg.ConnectMeshGatewayWANFederationEnabled = runtimeCfg.ConnectMeshGatewayWANFederationEnabled
ca, err := runtimeCfg.ConnectCAConfiguration()
Move generation of the CA Configuration from the agent code into a method on the RuntimeConfig (#8363) This allows this to be reused elsewhere.
2020-07-23 20:05:28 +00:00
if err != nil {
return nil, err
connect: tame thundering herd of CSRs on CA rotation (#5228) * Support rate limiting and concurrency limiting CSR requests on servers; handle CA rotations gracefully with jitter and backoff-on-rate-limit in client * Add CSR rate limiting docs * Fix config naming and add tests for new CA configs
2019-01-22 17:19:36 +00:00
}
Add CA config to connect section of agent config
2018-04-25 18:34:08 +00:00
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
cfg.CAConfig = ca
Add CA config to connect section of agent config
2018-04-25 18:34:08 +00:00
}
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
// copy over auto runtimeCfg settings
cfg.AutoConfigEnabled = runtimeCfg.AutoConfig.Enabled
cfg.AutoConfigIntroToken = runtimeCfg.AutoConfig.IntroToken
cfg.AutoConfigIntroTokenFile = runtimeCfg.AutoConfig.IntroTokenFile
cfg.AutoConfigServerAddresses = runtimeCfg.AutoConfig.ServerAddresses
cfg.AutoConfigDNSSANs = runtimeCfg.AutoConfig.DNSSANs
cfg.AutoConfigIPSANs = runtimeCfg.AutoConfig.IPSANs
cfg.AutoConfigAuthzEnabled = runtimeCfg.AutoConfig.Authorizer.Enabled
cfg.AutoConfigAuthzAuthMethod = runtimeCfg.AutoConfig.Authorizer.AuthMethod
cfg.AutoConfigAuthzClaimAssertions = runtimeCfg.AutoConfig.Authorizer.ClaimAssertions
cfg.AutoConfigAuthzAllowReuse = runtimeCfg.AutoConfig.Authorizer.AllowReuse
agent: working on user events
2014-08-27 23:49:12 +00:00
Populates the segment keyrings based on the LAN keyring.
2017-09-07 19:17:20 +00:00
// This will set up the LAN keyring, as well as the WAN and any segments
// for servers.
agent: Move setupKeyring functions to keyring.go There are a couple reasons for this change: 1. agent.go is way too big. Smaller files makes code eaasier to read because tools that show usage also include filename which can give a lot more context to someone trying to understand which functions call other functions. 2. these two functions call into a large number of functions already in keyring.go.
2020-08-11 00:20:06 +00:00
// TODO: move this closer to where the keyrings will be used.
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
if err := setupKeyrings(cfg, runtimeCfg, logger); err != nil {
Prevents disabling gossip keyring file from disabling gossip encryption. (#3278)
2017-07-17 19:48:45 +00:00
return nil, fmt.Errorf("Failed to configure keyring: %v", err)
agent: fix data race between consul server and local state
2017-06-29 12:35:55 +00:00
}
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
cfg.ConfigEntryBootstrap = runtimeCfg.ConfigEntryBootstrap
Updates to allow for using an enterprise specific token as the agents token This is needed to allow for managed Consul instances to register themselves in the catalog with one of the managed service provider tokens.
2020-04-28 13:44:26 +00:00
agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.
2020-08-11 16:20:46 +00:00
enterpriseConsulConfig(cfg, runtimeCfg)
return cfg, nil
Filling in Agent basics
2013-12-20 23:33:13 +00:00
}
Add rpc_listener option to segment config
2017-08-29 00:58:22 +00:00
// Setup the serf and memberlist config for any defined network segments.
agent: unmethod consulConfig To allow us to move newConsulConfig out of Agent.
2020-07-29 17:49:52 +00:00
func segmentConfig(config *config.RuntimeConfig) ([]consul.NetworkSegment, error) {
Revert "Manages segments list via a pointer." This reverts commit c277a4250461443cbd63de0259e5e32766f651ea.
2017-09-07 23:37:11 +00:00
var segments []consul.NetworkSegment
Add rpc_listener option to segment config
2017-08-29 00:58:22 +00:00
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
for _, s := range config.Segments {
Add rpc_listener option to segment config
2017-08-29 00:58:22 +00:00
serfConf := consul.DefaultConfig().SerfLANConfig
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
serfConf.MemberlistConfig.BindAddr = s.Bind.IP.String()
serfConf.MemberlistConfig.BindPort = s.Bind.Port
serfConf.MemberlistConfig.AdvertiseAddr = s.Advertise.IP.String()
serfConf.MemberlistConfig.AdvertisePort = s.Advertise.Port
Default bind/advertise for segments to BindAddr/AdvertiseAddr
2017-08-30 19:51:10 +00:00
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
if config.ReconnectTimeoutLAN != 0 {
serfConf.ReconnectTimeout = config.ReconnectTimeoutLAN
Add rpc_listener option to segment config
2017-08-29 00:58:22 +00:00
}
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
if config.EncryptVerifyIncoming {
serfConf.MemberlistConfig.GossipVerifyIncoming = config.EncryptVerifyIncoming
Add rpc_listener option to segment config
2017-08-29 00:58:22 +00:00
}
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
if config.EncryptVerifyOutgoing {
serfConf.MemberlistConfig.GossipVerifyOutgoing = config.EncryptVerifyOutgoing
Add rpc_listener option to segment config
2017-08-29 00:58:22 +00:00
}
var rpcAddr *net.TCPAddr
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
if s.RPCListener {
Add rpc_listener option to segment config
2017-08-29 00:58:22 +00:00
rpcAddr = &net.TCPAddr{
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
IP: s.Bind.IP,
agent: unmethod consulConfig To allow us to move newConsulConfig out of Agent.
2020-07-29 17:49:52 +00:00
Port: config.ServerPort,
Add rpc_listener option to segment config
2017-08-29 00:58:22 +00:00
}
}
Revert "Manages segments list via a pointer." This reverts commit c277a4250461443cbd63de0259e5e32766f651ea.
2017-09-07 23:37:11 +00:00
segments = append(segments, consul.NetworkSegment{
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
Name: s.Name,
Fix some inconsistencies with segment logic and comments
2017-08-30 23:44:04 +00:00
Bind: serfConf.MemberlistConfig.BindAddr,
Advertise: serfConf.MemberlistConfig.AdvertiseAddr,
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
Port: s.Bind.Port,
Add rpc_listener option to segment config
2017-08-29 00:58:22 +00:00
RPCAddr: rpcAddr,
SerfConfig: serfConf,
})
}
return segments, nil
}
agent: make registerEndpoint private This is only used for testing.
2017-06-19 14:36:09 +00:00
// registerEndpoint registers a handler for the consul RPC server
agent: make the RPC endpoint overwrite mechanism more transparent This patch hides the RPC handler overwrite mechanism from the rest of the code so that it works in all cases and that there is no cooperation required from the tested code, i.e. we can drop a.getEndpoint().
2017-06-16 07:54:09 +00:00
// under a unique name while making it accessible under the provided
// name. This allows overwriting handlers for the golang net/rpc
// service which does not allow this.
agent: make registerEndpoint private This is only used for testing.
2017-06-19 14:36:09 +00:00
func (a *Agent) registerEndpoint(name string, handler interface{}) error {
agent: make the RPC endpoint overwrite mechanism more transparent This patch hides the RPC handler overwrite mechanism from the rest of the code so that it works in all cases and that there is no cooperation required from the tested code, i.e. we can drop a.getEndpoint().
2017-06-16 07:54:09 +00:00
srv, ok := a.delegate.(*consul.Server)
if !ok {
panic("agent must be a server")
}
realname := fmt.Sprintf("%s-%d", name, time.Now().UnixNano())
a.endpointsLock.Lock()
a.endpoints[name] = realname
a.endpointsLock.Unlock()
return srv.RegisterEndpoint(realname, handler)
}
Filling in Agent basics
2013-12-20 23:33:13 +00:00
// RPC is used to make an RPC call to the Consul servers
// This allows the agent to implement the Consul.Interface
func (a *Agent) RPC(method string, args interface{}, reply interface{}) error {
Switches to using a read lock for the agent's RPC dispatcher. This prevents RPC calls from getting serialized in this spot. Fixes #3376
2017-08-10 01:51:55 +00:00
a.endpointsLock.RLock()
agent: make the RPC endpoint overwrite mechanism more transparent This patch hides the RPC handler overwrite mechanism from the rest of the code so that it works in all cases and that there is no cooperation required from the tested code, i.e. we can drop a.getEndpoint().
2017-06-16 07:54:09 +00:00
// fast path: only translate if there are overrides
if len(a.endpoints) > 0 {
p := strings.SplitN(method, ".", 2)
if e := a.endpoints[p[0]]; e != "" {
method = e + "." + p[1]
}
}
Switches to using a read lock for the agent's RPC dispatcher. This prevents RPC calls from getting serialized in this spot. Fixes #3376
2017-08-10 01:51:55 +00:00
a.endpointsLock.RUnlock()
agent: Replace client/server with delegate interface This patch adds a new internal interface clientServer which defines the common methods of consul.Client and consul.Server. This allows to replace the following code if a.server != nil { a.server.do() } else { a.client.do() } with a.delegate.do() In case a specific type is required a type check can be performed: if srv, ok := a.delegate.(*consul.Server); ok { srv.doSrv() }
2017-05-15 14:05:17 +00:00
return a.delegate.RPC(method, args, reply)
Filling in Agent basics
2013-12-20 23:33:13 +00:00
}
documentation: minor comment consistency in agent.go
2014-04-18 05:46:31 +00:00
// Leave is used to prepare the agent for a graceful shutdown
Agent skeleton
2013-12-20 01:14:46 +00:00
func (a *Agent) Leave() error {
agent: Replace client/server with delegate interface This patch adds a new internal interface clientServer which defines the common methods of consul.Client and consul.Server. This allows to replace the following code if a.server != nil { a.server.do() } else { a.client.do() } with a.delegate.do() In case a specific type is required a type check can be performed: if srv, ok := a.delegate.(*consul.Server); ok { srv.doSrv() }
2017-05-15 14:05:17 +00:00
return a.delegate.Leave()
Agent skeleton
2013-12-20 01:14:46 +00:00
}
agent: fix 'consul leave' shutdown race (#2880) When the agent is triggered to shutdown via an external 'consul leave' command delivered via the HTTP API then the client expects to receive a response when the agent is down. This creates a race on when to shutdown the agent itself like the RPC server, the checks and the state and the external endpoints like DNS and HTTP. This patch splits the shutdown process into two parts: * shutdown the agent * shutdown the endpoints (http and dns) They can be executed multiple times, concurrently and in any order but should be executed first agent, then endpoints to provide consistent behavior across all use cases. Both calls have to be executed for a proper shutdown. This could be partially hidden in a single function but would introduce some magic that happens behind the scenes which one has to know of but isn't obvious. Fixes #2880
2017-06-20 07:29:20 +00:00
// ShutdownAgent is used to hard stop the agent. Should be preceded by
// Leave to do it gracefully. Should be followed by ShutdownEndpoints to
// terminate the HTTP and DNS servers as well.
func (a *Agent) ShutdownAgent() error {
Working on the agent
2013-12-21 00:39:32 +00:00
a.shutdownLock.Lock()
defer a.shutdownLock.Unlock()
if a.shutdown {
return nil
}
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Info("Requesting shutdown")
Stop all watches before shuting down anything dring shutdown. (#7526) This will prevent watches from being triggered. ```changelog * fix(agent): stop all watches before shuting down ```
2020-05-26 08:01:49 +00:00
// Stop the watches to avoid any notification/state change during shutdown
a.stopAllWatches()
agent: move http/dns endpoints into agent Move the HTTP and DNS endpoints into the agent and control their lifespan via the agent. This removes the requirement to manage HTTP and DNS servers indpendent of the agent since the agent is mostly useless without an endpoint and the endpoints without the agent.
2017-05-19 09:53:41 +00:00
Agent Auto Config: Implement Certificate Generation (#8360) Most of the groundwork was laid in previous PRs between adding the cert-monitor package to extracting the logic of signing certificates out of the connect_ca_endpoint.go code and into a method on the server. This also refactors the auto-config package a bit to split things out into multiple files.
2020-07-28 19:31:48 +00:00
// this would be cancelled anyways (by the closing of the shutdown ch) but
// this should help them to be stopped more quickly
agent/consul: pass dependencies directly from agent In an upcoming change we will need to pass a grpc.ClientConnPool from BaseDeps into Server. While looking at that change I noticed all of the existing consulOption fields are already on BaseDeps. Instead of duplicating the fields, we can create a struct used by agent/consul, and use that struct in BaseDeps. This allows us to pass along dependencies without translating them into different representations. I also looked at moving all of BaseDeps in agent/consul, however that created some circular imports. Resolving those cycles wouldn't be too bad (it was only an error in agent/consul being imported from cache-types), however this change seems a little better by starting to introduce some structure to BaseDeps. This change is also a small step in reducing the scope of Agent. Also remove some constants that were only used by tests, and move the relevant comment to where the live configuration is set. Removed some validation from NewServer and NewClient, as these are not really runtime errors. They would be code errors, which will cause a panic anyway, so no reason to handle them specially here.
2020-09-14 22:31:07 +00:00
a.baseDeps.AutoConfig.Stop()
Agent Auto Config: Implement Certificate Generation (#8360) Most of the groundwork was laid in previous PRs between adding the cert-monitor package to extracting the logic of signing certificates out of the connect_ca_endpoint.go code and into a method on the server. This also refactors the auto-config package a bit to split things out into multiple files.
2020-07-28 19:31:48 +00:00
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
// Stop the service manager (must happen before we take the stateLock to avoid deadlock)
if a.serviceManager != nil {
a.serviceManager.Stop()
}
Adding CheckMonitors and CheckTTLs to agent
2014-01-21 20:05:56 +00:00
// Stop all the checks
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
a.stateLock.Lock()
defer a.stateLock.Unlock()
Adding CheckMonitors and CheckTTLs to agent
2014-01-21 20:05:56 +00:00
for _, chk := range a.checkMonitors {
chk.Stop()
}
for _, chk := range a.checkTTLs {
chk.Stop()
}
command/agent: Add simple HTTP check type These checks make an `HTTP GET` request every Interval to the specified URL. The status of the service depends on the HTTP Response Code. `200` is passing, `503` is warning and anything else is failing.
2015-01-09 22:43:24 +00:00
for _, chk := range a.checkHTTPs {
chk.Stop()
}
Add TCP check type Adds the ability to simply check whether a TCP socket accepts connections to determine if it is healthy. This is a light-weight - though less comprehensive than scripting - method of checking network service health. The check parameter `tcp` should be set to the `address:port` combination for the service to be tested. Supports both IPv6 and IPv4, in the case of a hostname that resolves to both, connections will be attempted via both protocol versions, with the first successful connection returning a successful check result. Example check: ```json { "check": { "id": "ssh", "name": "SSH (TCP)", "tcp": "example.com:22", "interval": "10s" } } ```
2015-07-23 11:45:08 +00:00
for _, chk := range a.checkTCPs {
chk.Stop()
}
Add gRPC health-check #3073
2017-12-27 04:35:22 +00:00
for _, chk := range a.checkGRPCs {
chk.Stop()
}
agent: stop docker checks on shutdown
2017-07-18 18:57:27 +00:00
for _, chk := range a.checkDockers {
chk.Stop()
}
agent: run alias checks
2018-06-30 13:38:56 +00:00
for _, chk := range a.checkAliases {
chk.Stop()
}
Add TCP check type Adds the ability to simply check whether a TCP socket accepts connections to determine if it is healthy. This is a light-weight - though less comprehensive than scripting - method of checking network service health. The check parameter `tcp` should be set to the `address:port` combination for the service to be tested. Supports both IPv6 and IPv4, in the case of a hostname that resolves to both, connections will be attempted via both protocol versions, with the first successful connection returning a successful check result. Example check: ```json { "check": { "id": "ssh", "name": "SSH (TCP)", "tcp": "example.com:22", "interval": "10s" } } ```
2015-07-23 11:45:08 +00:00
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review
2018-10-03 19:37:53 +00:00
// Stop gRPC
if a.grpcServer != nil {
a.grpcServer.Stop()
}
// Stop the proxy config manager
if a.proxyConfig != nil {
a.proxyConfig.Close()
}
Add a Close method to cache that stops background goroutines. (#4746) In a real agent the `cache` instance is alive until the agent shuts down so this is not a real leak in production, however in out test suite, every testAgent that is started and stops leaks goroutines that never get cleaned up which accumulate consuming CPU and memory through subsequent test in the `agent` package which doesn't help our test flakiness. This adds a Close method that doesn't invalidate or clean up the cache, and still allows concurrent blocking queries to run (for up to 10 mins which might still affect tests). But at least it doesn't maintain them forever with background refresh and an expiry watcher routine. It would be nice to cancel any outstanding blocking requests as well when we close but that requires much more invasive surgery right into our RPC protocol since we don't have a way to cancel requests currently. Unscientifically this seems to make tests pass a bit quicker and more reliably locally but I can't really be sure of that!
2018-10-04 10:27:11 +00:00
// Stop the cache background work
if a.cache != nil {
a.cache.Close()
}
agent: shutdown delegate if created When the TestAgent shuts down a half-started agent the delegate may not have been created at this point.
2017-05-22 21:59:54 +00:00
var err error
if a.delegate != nil {
err = a.delegate.Shutdown()
agent: print more useful shutdown message
2017-05-23 10:15:25 +00:00
if _, ok := a.delegate.(*consul.Server); ok {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Info("consul server down")
agent: print more useful shutdown message
2017-05-23 10:15:25 +00:00
} else {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Info("consul client down")
agent: print more useful shutdown message
2017-05-23 10:15:25 +00:00
}
agent: shutdown delegate if created When the TestAgent shuts down a half-started agent the delegate may not have been created at this point.
2017-05-22 21:59:54 +00:00
}
Working on the agent
2013-12-21 00:39:32 +00:00
Return pid file errors and fix help formatting
2014-05-06 16:57:53 +00:00
pidErr := a.deletePid()
if pidErr != nil {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Warn("could not delete pid file", "error", pidErr)
Return pid file errors and fix help formatting
2014-05-06 16:57:53 +00:00
}
Add flag to agent to write pid file
2014-05-06 03:29:50 +00:00
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Info("shutdown complete")
Working on the agent
2013-12-21 00:39:32 +00:00
a.shutdown = true
Revert "agent: fix 'consul leave' shutdown race (#2880)" This reverts commit 90c83a32b586c7d4add8d8ca0096025ecb886a77.
2017-06-19 19:34:08 +00:00
close(a.shutdownCh)
Working on the agent
2013-12-21 00:39:32 +00:00
return err
agent: fix 'consul leave' shutdown race (#2880) When the agent is triggered to shutdown via an external 'consul leave' command delivered via the HTTP API then the client expects to receive a response when the agent is down. This creates a race on when to shutdown the agent itself like the RPC server, the checks and the state and the external endpoints like DNS and HTTP. This patch splits the shutdown process into two parts: * shutdown the agent * shutdown the endpoints (http and dns) They can be executed multiple times, concurrently and in any order but should be executed first agent, then endpoints to provide consistent behavior across all use cases. Both calls have to be executed for a proper shutdown. This could be partially hidden in a single function but would introduce some magic that happens behind the scenes which one has to know of but isn't obvious. Fixes #2880
2017-06-20 07:29:20 +00:00
}
// ShutdownEndpoints terminates the HTTP and DNS servers. Should be
Spelling (#3958) * spelling: another * spelling: autopilot * spelling: beginning * spelling: circonus * spelling: default * spelling: definition * spelling: distance * spelling: encountered * spelling: enterprise * spelling: expands * spelling: exits * spelling: formatting * spelling: health * spelling: hierarchy * spelling: imposed * spelling: independence * spelling: inspect * spelling: last * spelling: latest * spelling: client * spelling: message * spelling: minimum * spelling: notify * spelling: nonexistent * spelling: operator * spelling: payload * spelling: preceded * spelling: prepared * spelling: programmatically * spelling: required * spelling: reconcile * spelling: responses * spelling: request * spelling: response * spelling: results * spelling: retrieve * spelling: service * spelling: significantly * spelling: specifies * spelling: supported * spelling: synchronization * spelling: synchronous * spelling: themselves * spelling: unexpected * spelling: validations * spelling: value
2018-03-19 16:56:00 +00:00
// preceded by ShutdownAgent.
agent: add apiServers type for managing HTTP servers Remove Server field from HTTPServer. The field is no longer used.
2020-07-02 17:31:47 +00:00
// TODO: remove this method, move to ShutdownAgent
agent: fix 'consul leave' shutdown race (#2880) When the agent is triggered to shutdown via an external 'consul leave' command delivered via the HTTP API then the client expects to receive a response when the agent is down. This creates a race on when to shutdown the agent itself like the RPC server, the checks and the state and the external endpoints like DNS and HTTP. This patch splits the shutdown process into two parts: * shutdown the agent * shutdown the endpoints (http and dns) They can be executed multiple times, concurrently and in any order but should be executed first agent, then endpoints to provide consistent behavior across all use cases. Both calls have to be executed for a proper shutdown. This could be partially hidden in a single function but would introduce some magic that happens behind the scenes which one has to know of but isn't obvious. Fixes #2880
2017-06-20 07:29:20 +00:00
func (a *Agent) ShutdownEndpoints() {
a.shutdownLock.Lock()
defer a.shutdownLock.Unlock()
agent: add apiServers type for managing HTTP servers Remove Server field from HTTPServer. The field is no longer used.
2020-07-02 17:31:47 +00:00
ctx := context.TODO()
agent: fix 'consul leave' shutdown race (#2880) When the agent is triggered to shutdown via an external 'consul leave' command delivered via the HTTP API then the client expects to receive a response when the agent is down. This creates a race on when to shutdown the agent itself like the RPC server, the checks and the state and the external endpoints like DNS and HTTP. This patch splits the shutdown process into two parts: * shutdown the agent * shutdown the endpoints (http and dns) They can be executed multiple times, concurrently and in any order but should be executed first agent, then endpoints to provide consistent behavior across all use cases. Both calls have to be executed for a proper shutdown. This could be partially hidden in a single function but would introduce some magic that happens behind the scenes which one has to know of but isn't obvious. Fixes #2880
2017-06-20 07:29:20 +00:00
for _, srv := range a.dnsServers {
test: fix TestAgent.Start() to not segfault if the DNSServer cannot ListenAndServe (#6409) The embedded `Server` field on a `DNSServer` is only set inside of the `ListenAndServe` method. If that method fails for reasons like the address being in use and is not bindable, then the `Server` field will not be set and the overall `Agent.Start()` will fail. This will trigger the inner loop of `TestAgent.Start()` to invoke `ShutdownEndpoints` which will attempt to pretty print the DNS servers using fields on that inner `Server` field. Because it was never set, this causes a nil pointer dereference and crashes the test.
2019-08-27 15:45:05 +00:00
if srv.Server != nil {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Info("Stopping server",
"protocol", "DNS",
"address", srv.Server.Addr,
"network", srv.Server.Net,
)
test: fix TestAgent.Start() to not segfault if the DNSServer cannot ListenAndServe (#6409) The embedded `Server` field on a `DNSServer` is only set inside of the `ListenAndServe` method. If that method fails for reasons like the address being in use and is not bindable, then the `Server` field will not be set and the overall `Agent.Start()` will fail. This will trigger the inner loop of `TestAgent.Start()` to invoke `ShutdownEndpoints` which will attempt to pretty print the DNS servers using fields on that inner `Server` field. Because it was never set, this causes a nil pointer dereference and crashes the test.
2019-08-27 15:45:05 +00:00
srv.Shutdown()
}
agent: fix 'consul leave' shutdown race (#2880) When the agent is triggered to shutdown via an external 'consul leave' command delivered via the HTTP API then the client expects to receive a response when the agent is down. This creates a race on when to shutdown the agent itself like the RPC server, the checks and the state and the external endpoints like DNS and HTTP. This patch splits the shutdown process into two parts: * shutdown the agent * shutdown the endpoints (http and dns) They can be executed multiple times, concurrently and in any order but should be executed first agent, then endpoints to provide consistent behavior across all use cases. Both calls have to be executed for a proper shutdown. This could be partially hidden in a single function but would introduce some magic that happens behind the scenes which one has to know of but isn't obvious. Fixes #2880
2017-06-20 07:29:20 +00:00
}
a.dnsServers = nil
agent: add apiServers type for managing HTTP servers Remove Server field from HTTPServer. The field is no longer used.
2020-07-02 17:31:47 +00:00
a.apiServers.Shutdown(ctx)
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Info("Waiting for endpoints to shut down")
agent: add apiServers type for managing HTTP servers Remove Server field from HTTPServer. The field is no longer used.
2020-07-02 17:31:47 +00:00
if err := a.apiServers.WaitForShutdown(); err != nil {
a.logger.Error(err.Error())
}
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Info("Endpoints down")
Working on the agent
2013-12-21 00:39:32 +00:00
}
agent: move retry join into agent
2017-06-02 09:55:29 +00:00
// RetryJoinCh is a channel that transports errors
// from the retry join process.
func (a *Agent) RetryJoinCh() <-chan error {
return a.retryJoinCh
}
documentation: minor comment consistency in agent.go
2014-04-18 05:46:31 +00:00
// ShutdownCh is used to return a channel that can be
// selected to wait for the agent to perform a shutdown.
Working on the agent
2013-12-21 00:39:32 +00:00
func (a *Agent) ShutdownCh() <-chan struct{} {
return a.shutdownCh
Agent skeleton
2013-12-20 01:14:46 +00:00
}
Pulling in the RPC framework from serf
2013-12-30 22:42:41 +00:00
// JoinLAN is used to have the agent join a LAN cluster
func (a *Agent) JoinLAN(addrs []string) (n int, err error) {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Info("(LAN) joining", "lan_addresses", addrs)
agent: Replace client/server with delegate interface This patch adds a new internal interface clientServer which defines the common methods of consul.Client and consul.Server. This allows to replace the following code if a.server != nil { a.server.do() } else { a.client.do() } with a.delegate.do() In case a specific type is required a type check can be performed: if srv, ok := a.delegate.(*consul.Server); ok { srv.doSrv() }
2017-05-15 14:05:17 +00:00
n, err = a.delegate.JoinLAN(addrs)
agent: Improve startup message to avoid confusing users when no error occurs (#5896) * Improve startup message to avoid confusing users when no error occurs Several times, some users not very familiar with Consul get confused by error message at startup: `[INFO] agent: (LAN) joined: 1 Err: <nil>` Having `Err: <nil>` seems weird to many users, I propose to have the following instead: * Success: `[INFO] agent: (LAN) joined: 1` * Error: `[WARN] agent: (LAN) couldn't join: %d Err: ERROR`
2019-05-24 14:50:18 +00:00
if err == nil {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Info("(LAN) joined", "number_of_nodes", n)
agent: Improve startup message to avoid confusing users when no error occurs (#5896) * Improve startup message to avoid confusing users when no error occurs Several times, some users not very familiar with Consul get confused by error message at startup: `[INFO] agent: (LAN) joined: 1 Err: <nil>` Having `Err: <nil>` seems weird to many users, I propose to have the following instead: * Success: `[INFO] agent: (LAN) joined: 1` * Error: `[WARN] agent: (LAN) couldn't join: %d Err: ERROR`
2019-05-24 14:50:18 +00:00
if a.joinLANNotifier != nil {
if notifErr := a.joinLANNotifier.Notify(systemd.Ready); notifErr != nil {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Debug("systemd notify failed", "error", notifErr)
agent: Improve startup message to avoid confusing users when no error occurs (#5896) * Improve startup message to avoid confusing users when no error occurs Several times, some users not very familiar with Consul get confused by error message at startup: `[INFO] agent: (LAN) joined: 1 Err: <nil>` Having `Err: <nil>` seems weird to many users, I propose to have the following instead: * Success: `[INFO] agent: (LAN) joined: 1` * Error: `[WARN] agent: (LAN) couldn't join: %d Err: ERROR`
2019-05-24 14:50:18 +00:00
}
agent: notify systemd after JoinLAN (#2121) This patch adds support for notifying systemd via the NOTIFY_SOCKET by sending 'READY=1' to the socket after a successful JoinLAN. Fixes #2121
2017-06-21 04:43:55 +00:00
}
agent: Improve startup message to avoid confusing users when no error occurs (#5896) * Improve startup message to avoid confusing users when no error occurs Several times, some users not very familiar with Consul get confused by error message at startup: `[INFO] agent: (LAN) joined: 1 Err: <nil>` Having `Err: <nil>` seems weird to many users, I propose to have the following instead: * Success: `[INFO] agent: (LAN) joined: 1` * Error: `[WARN] agent: (LAN) couldn't join: %d Err: ERROR`
2019-05-24 14:50:18 +00:00
} else {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Warn("(LAN) couldn't join",
"number_of_nodes", n,
"error", err,
)
agent: notify systemd after JoinLAN (#2121) This patch adds support for notifying systemd via the NOTIFY_SOCKET by sending 'READY=1' to the socket after a successful JoinLAN. Fixes #2121
2017-06-21 04:43:55 +00:00
}
Pulling in the RPC framework from serf
2013-12-30 22:42:41 +00:00
return
}
// JoinWAN is used to have the agent join a WAN cluster
func (a *Agent) JoinWAN(addrs []string) (n int, err error) {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Info("(WAN) joining", "wan_addresses", addrs)
agent: Replace client/server with delegate interface This patch adds a new internal interface clientServer which defines the common methods of consul.Client and consul.Server. This allows to replace the following code if a.server != nil { a.server.do() } else { a.client.do() } with a.delegate.do() In case a specific type is required a type check can be performed: if srv, ok := a.delegate.(*consul.Server); ok { srv.doSrv() }
2017-05-15 14:05:17 +00:00
if srv, ok := a.delegate.(*consul.Server); ok {
n, err = srv.JoinWAN(addrs)
Pulling in the RPC framework from serf
2013-12-30 22:42:41 +00:00
} else {
err = fmt.Errorf("Must be a server to join WAN cluster")
}
agent: Improve startup message to avoid confusing users when no error occurs (#5896) * Improve startup message to avoid confusing users when no error occurs Several times, some users not very familiar with Consul get confused by error message at startup: `[INFO] agent: (LAN) joined: 1 Err: <nil>` Having `Err: <nil>` seems weird to many users, I propose to have the following instead: * Success: `[INFO] agent: (LAN) joined: 1` * Error: `[WARN] agent: (LAN) couldn't join: %d Err: ERROR`
2019-05-24 14:50:18 +00:00
if err == nil {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Info("(WAN) joined", "number_of_nodes", n)
agent: Improve startup message to avoid confusing users when no error occurs (#5896) * Improve startup message to avoid confusing users when no error occurs Several times, some users not very familiar with Consul get confused by error message at startup: `[INFO] agent: (LAN) joined: 1 Err: <nil>` Having `Err: <nil>` seems weird to many users, I propose to have the following instead: * Success: `[INFO] agent: (LAN) joined: 1` * Error: `[WARN] agent: (LAN) couldn't join: %d Err: ERROR`
2019-05-24 14:50:18 +00:00
} else {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Warn("(WAN) couldn't join",
"number_of_nodes", n,
"error", err,
)
agent: Improve startup message to avoid confusing users when no error occurs (#5896) * Improve startup message to avoid confusing users when no error occurs Several times, some users not very familiar with Consul get confused by error message at startup: `[INFO] agent: (LAN) joined: 1 Err: <nil>` Having `Err: <nil>` seems weird to many users, I propose to have the following instead: * Success: `[INFO] agent: (LAN) joined: 1` * Error: `[WARN] agent: (LAN) couldn't join: %d Err: ERROR`
2019-05-24 14:50:18 +00:00
}
Pulling in the RPC framework from serf
2013-12-30 22:42:41 +00:00
return
}
wan federation via mesh gateways (#6884) This is like a Möbius strip of code due to the fact that low-level components (serf/memberlist) are connected to high-level components (the catalog and mesh-gateways) in a twisty maze of references which make it hard to dive into. With that in mind here's a high level summary of what you'll find in the patch: There are several distinct chunks of code that are affected: * new flags and config options for the server * retry join WAN is slightly different * retry join code is shared to discover primary mesh gateways from secondary datacenters * because retry join logic runs in the *agent* and the results of that operation for primary mesh gateways are needed in the *server* there are some methods like `RefreshPrimaryGatewayFallbackAddresses` that must occur at multiple layers of abstraction just to pass the data down to the right layer. * new cache type `FederationStateListMeshGatewaysName` for use in `proxycfg/xds` layers * the function signature for RPC dialing picked up a new required field (the node name of the destination) * several new RPCs for manipulating a FederationState object: `FederationState:{Apply,Get,List,ListMeshGateways}` * 3 read-only internal APIs for debugging use to invoke those RPCs from curl * raft and fsm changes to persist these FederationStates * replication for FederationStates as they are canonically stored in the Primary and replicated to the Secondaries. * a special derivative of anti-entropy that runs in secondaries to snapshot their local mesh gateway `CheckServiceNodes` and sync them into their upstream FederationState in the primary (this works in conjunction with the replication to distribute addresses for all mesh gateways in all DCs to all other DCs) * a "gateway locator" convenience object to make use of this data to choose the addresses of gateways to use for any given RPC or gossip operation to a remote DC. This gets data from the "retry join" logic in the agent and also directly calls into the FSM. * RPC (`:8300`) on the server sniffs the first byte of a new connection to determine if it's actually doing native TLS. If so it checks the ALPN header for protocol determination (just like how the existing system uses the type-byte marker). * 2 new kinds of protocols are exclusively decoded via this native TLS mechanism: one for ferrying "packet" operations (udp-like) from the gossip layer and one for "stream" operations (tcp-like). The packet operations re-use sockets (using length-prefixing) to cut down on TLS re-negotiation overhead. * the server instances specially wrap the `memberlist.NetTransport` when running with gateway federation enabled (in a `wanfed.Transport`). The general gist is that if it tries to dial a node in the SAME datacenter (deduced by looking at the suffix of the node name) there is no change. If dialing a DIFFERENT datacenter it is wrapped up in a TLS+ALPN blob and sent through some mesh gateways to eventually end up in a server's :8300 port. * a new flag when launching a mesh gateway via `consul connect envoy` to indicate that the servers are to be exposed. This sets a special service meta when registering the gateway into the catalog. * `proxycfg/xds` notice this metadata blob to activate additional watches for the FederationState objects as well as the location of all of the consul servers in that datacenter. * `xds:` if the extra metadata is in place additional clusters are defined in a DC to bulk sink all traffic to another DC's gateways. For the current datacenter we listen on a wildcard name (`server.<dc>.consul`) that load balances all servers as well as one mini-cluster per node (`<node>.server.<dc>.consul`) * the `consul tls cert create` command got a new flag (`-node`) to help create an additional SAN in certs that can be used with this flavor of federation.
2020-03-09 20:59:02 +00:00
// PrimaryMeshGatewayAddressesReadyCh returns a channel that will be closed
// when federation state replication ships back at least one primary mesh
// gateway (not via fallback config).
func (a *Agent) PrimaryMeshGatewayAddressesReadyCh() <-chan struct{} {
if srv, ok := a.delegate.(*consul.Server); ok {
return srv.PrimaryMeshGatewayAddressesReadyCh()
}
return nil
}
// PickRandomMeshGatewaySuitableForDialing is a convenience function used for writing tests.
func (a *Agent) PickRandomMeshGatewaySuitableForDialing(dc string) string {
if srv, ok := a.delegate.(*consul.Server); ok {
return srv.PickRandomMeshGatewaySuitableForDialing(dc)
}
return ""
}
// RefreshPrimaryGatewayFallbackAddresses is used to update the list of current
// fallback addresses for locating mesh gateways in the primary datacenter.
func (a *Agent) RefreshPrimaryGatewayFallbackAddresses(addrs []string) error {
if srv, ok := a.delegate.(*consul.Server); ok {
srv.RefreshPrimaryGatewayFallbackAddresses(addrs)
return nil
}
return fmt.Errorf("Must be a server to track mesh gateways in the primary datacenter")
}
Pulling in the RPC framework from serf
2013-12-30 22:42:41 +00:00
// ForceLeave is used to remove a failed node from the cluster
Prune Unhealthy Agents (#6571) * Add -prune flag to ForceLeave
2019-10-04 21:10:02 +00:00
func (a *Agent) ForceLeave(node string, prune bool) (err error) {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Info("Force leaving node", "node", node)
give feedback to CLI user on forceleave command if node does not exist (#6841)
2019-12-02 19:06:15 +00:00
if ok := a.IsMember(node); !ok {
return fmt.Errorf("agent: No node found with name '%s'", node)
}
Prune Unhealthy Agents (#6571) * Add -prune flag to ForceLeave
2019-10-04 21:10:02 +00:00
err = a.delegate.RemoveFailedNode(node, prune)
Pulling in the RPC framework from serf
2013-12-30 22:42:41 +00:00
if err != nil {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Warn("Failed to remove node",
"node", node,
"error", err,
)
Pulling in the RPC framework from serf
2013-12-30 22:42:41 +00:00
}
return err
}
Add `/v1/agent/self` and return local agent config
2014-05-25 23:59:48 +00:00
// LocalMember is used to return the local node
func (a *Agent) LocalMember() serf.Member {
agent: Replace client/server with delegate interface This patch adds a new internal interface clientServer which defines the common methods of consul.Client and consul.Server. This allows to replace the following code if a.server != nil { a.server.do() } else { a.client.do() } with a.delegate.do() In case a specific type is required a type check can be performed: if srv, ok := a.delegate.(*consul.Server); ok { srv.doSrv() }
2017-05-15 14:05:17 +00:00
return a.delegate.LocalMember()
Add `/v1/agent/self` and return local agent config
2014-05-25 23:59:48 +00:00
}
documentation: minor comment consistency in agent.go
2014-04-18 05:46:31 +00:00
// LANMembers is used to retrieve the LAN members
Pulling in the RPC framework from serf
2013-12-30 22:42:41 +00:00
func (a *Agent) LANMembers() []serf.Member {
agent: Replace client/server with delegate interface This patch adds a new internal interface clientServer which defines the common methods of consul.Client and consul.Server. This allows to replace the following code if a.server != nil { a.server.do() } else { a.client.do() } with a.delegate.do() In case a specific type is required a type check can be performed: if srv, ok := a.delegate.(*consul.Server); ok { srv.doSrv() }
2017-05-15 14:05:17 +00:00
return a.delegate.LANMembers()
Pulling in the RPC framework from serf
2013-12-30 22:42:41 +00:00
}
documentation: minor comment consistency in agent.go
2014-04-18 05:46:31 +00:00
// WANMembers is used to retrieve the WAN members
Pulling in the RPC framework from serf
2013-12-30 22:42:41 +00:00
func (a *Agent) WANMembers() []serf.Member {
agent: Replace client/server with delegate interface This patch adds a new internal interface clientServer which defines the common methods of consul.Client and consul.Server. This allows to replace the following code if a.server != nil { a.server.do() } else { a.client.do() } with a.delegate.do() In case a specific type is required a type check can be performed: if srv, ok := a.delegate.(*consul.Server); ok { srv.doSrv() }
2017-05-15 14:05:17 +00:00
if srv, ok := a.delegate.(*consul.Server); ok {
return srv.WANMembers()
Pulling in the RPC framework from serf
2013-12-30 22:42:41 +00:00
}
golint: Untangle if blocks with return in else
2017-04-21 01:59:42 +00:00
return nil
Pulling in the RPC framework from serf
2013-12-30 22:42:41 +00:00
}
Seperate localState from Agent
2014-01-21 19:52:25 +00:00
give feedback to CLI user on forceleave command if node does not exist (#6841)
2019-12-02 19:06:15 +00:00
// IsMember is used to check if a node with the given nodeName
// is a member
func (a *Agent) IsMember(nodeName string) bool {
for _, m := range a.LANMembers() {
if m.Name == nodeName {
return true
}
}
return false
}
Seperate localState from Agent
2014-01-21 19:52:25 +00:00
// StartSync is called once Services and Checks are registered.
// This is called to prevent a race between clients and the anti-entropy routines
func (a *Agent) StartSync() {
agent: decouple anti-entropy from local state The anti-entropy code manages background synchronizations of the local state on a regular basis or on demand when either the state has changed or a new consul server has been added. This patch moves the anti-entropy code into its own package and decouples it from the local state code since they are performing two different functions. To simplify code-review this revision does not make any optimizations, renames or refactorings. This will happen in subsequent commits.
2017-08-28 12:17:09 +00:00
go a.sync.Run()
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Info("started state syncer")
Seperate localState from Agent
2014-01-21 19:52:25 +00:00
}
agent: Adding methods to register services and checks
2014-01-30 21:39:02 +00:00
Add -sidecar-for and new /agent/service/:service_id endpoint (#4691) - A new endpoint `/v1/agent/service/:service_id` which is a generic way to look up the service for a single instance. The primary value here is that it: - **supports hash-based blocking** and so; - **replaces `/agent/connect/proxy/:proxy_id`** as the mechanism the built-in proxy uses to read its config. - It's not proxy specific and so works for any service. - It has a temporary shim to call through to the existing endpoint to preserve current managed proxy config defaulting behaviour until that is removed entirely (tested). - The built-in proxy now uses the new endpoint exclusively for it's config - The built-in proxy now has a `-sidecar-for` flag that allows the service ID of the _target_ service to be specified, on the condition that there is exactly one "sidecar" proxy (that is one that has `Proxy.DestinationServiceID` set) for the service registered. - Several fixes for edge cases for SidecarService - A fix for `Alias` checks - when running locally they didn't update their state until some external thing updated the target. If the target service has no checks registered as below, then the alias never made it past critical.
2018-09-27 14:00:51 +00:00
// PauseSync is used to pause anti-entropy while bulk changes are made. It also
// sets state that agent-local watches use to "ride out" config reloads and bulk
// updates which might spuriously unload state and reload it again.
agent: adding ability to reload services and checks
2014-02-07 20:19:56 +00:00
func (a *Agent) PauseSync() {
Add -sidecar-for and new /agent/service/:service_id endpoint (#4691) - A new endpoint `/v1/agent/service/:service_id` which is a generic way to look up the service for a single instance. The primary value here is that it: - **supports hash-based blocking** and so; - **replaces `/agent/connect/proxy/:proxy_id`** as the mechanism the built-in proxy uses to read its config. - It's not proxy specific and so works for any service. - It has a temporary shim to call through to the existing endpoint to preserve current managed proxy config defaulting behaviour until that is removed entirely (tested). - The built-in proxy now uses the new endpoint exclusively for it's config - The built-in proxy now has a `-sidecar-for` flag that allows the service ID of the _target_ service to be specified, on the condition that there is exactly one "sidecar" proxy (that is one that has `Proxy.DestinationServiceID` set) for the service registered. - Several fixes for edge cases for SidecarService - A fix for `Alias` checks - when running locally they didn't update their state until some external thing updated the target. If the target service has no checks registered as below, then the alias never made it past critical.
2018-09-27 14:00:51 +00:00
// Do this outside of lock as it has it's own locking
agent: decouple anti-entropy from local state The anti-entropy code manages background synchronizations of the local state on a regular basis or on demand when either the state has changed or a new consul server has been added. This patch moves the anti-entropy code into its own package and decouples it from the local state code since they are performing two different functions. To simplify code-review this revision does not make any optimizations, renames or refactorings. This will happen in subsequent commits.
2017-08-28 12:17:09 +00:00
a.sync.Pause()
Add -sidecar-for and new /agent/service/:service_id endpoint (#4691) - A new endpoint `/v1/agent/service/:service_id` which is a generic way to look up the service for a single instance. The primary value here is that it: - **supports hash-based blocking** and so; - **replaces `/agent/connect/proxy/:proxy_id`** as the mechanism the built-in proxy uses to read its config. - It's not proxy specific and so works for any service. - It has a temporary shim to call through to the existing endpoint to preserve current managed proxy config defaulting behaviour until that is removed entirely (tested). - The built-in proxy now uses the new endpoint exclusively for it's config - The built-in proxy now has a `-sidecar-for` flag that allows the service ID of the _target_ service to be specified, on the condition that there is exactly one "sidecar" proxy (that is one that has `Proxy.DestinationServiceID` set) for the service registered. - Several fixes for edge cases for SidecarService - A fix for `Alias` checks - when running locally they didn't update their state until some external thing updated the target. If the target service has no checks registered as below, then the alias never made it past critical.
2018-09-27 14:00:51 +00:00
// Coordinate local state watchers
a.syncMu.Lock()
defer a.syncMu.Unlock()
if a.syncCh == nil {
a.syncCh = make(chan struct{})
}
agent: adding ability to reload services and checks
2014-02-07 20:19:56 +00:00
}
documentation: minor comment consistency in agent.go
2014-04-18 05:46:31 +00:00
// ResumeSync is used to unpause anti-entropy after bulk changes are make
agent: adding ability to reload services and checks
2014-02-07 20:19:56 +00:00
func (a *Agent) ResumeSync() {
Add -sidecar-for and new /agent/service/:service_id endpoint (#4691) - A new endpoint `/v1/agent/service/:service_id` which is a generic way to look up the service for a single instance. The primary value here is that it: - **supports hash-based blocking** and so; - **replaces `/agent/connect/proxy/:proxy_id`** as the mechanism the built-in proxy uses to read its config. - It's not proxy specific and so works for any service. - It has a temporary shim to call through to the existing endpoint to preserve current managed proxy config defaulting behaviour until that is removed entirely (tested). - The built-in proxy now uses the new endpoint exclusively for it's config - The built-in proxy now has a `-sidecar-for` flag that allows the service ID of the _target_ service to be specified, on the condition that there is exactly one "sidecar" proxy (that is one that has `Proxy.DestinationServiceID` set) for the service registered. - Several fixes for edge cases for SidecarService - A fix for `Alias` checks - when running locally they didn't update their state until some external thing updated the target. If the target service has no checks registered as below, then the alias never made it past critical.
2018-09-27 14:00:51 +00:00
// a.sync maintains a stack/ref count of Pause calls since we call
// Pause/Resume in nested way during a reload and AddService. We only want to
// trigger local state watchers if this Resume call actually started sync back
// up again (i.e. was the last resume on the stack). We could check that
// separately with a.sync.Paused but that is racey since another Pause call
// might be made between our Resume and checking Paused.
resumed := a.sync.Resume()
if !resumed {
// Return early so we don't notify local watchers until we are actually
// resumed.
return
}
// Coordinate local state watchers
a.syncMu.Lock()
defer a.syncMu.Unlock()
if a.syncCh != nil {
close(a.syncCh)
a.syncCh = nil
}
}
Add accessorID of token when ops are denied by ACL system (#7117) * agent: add and edit doc comments * agent: add ACL token accessorID to debugging traces * agent: polish acl debugging * agent: minor fix + string fmt over value interp * agent: undo export & fix logging field names * agent: remove note and migrate up to code review * Update agent/consul/acl.go Co-Authored-By: Matt Keeler <mkeeler@users.noreply.github.com> * agent: incorporate review feedback * Update agent/acl.go Co-Authored-By: R.B. Boyer <public@richardboyer.net> Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: R.B. Boyer <public@richardboyer.net>
2020-01-27 19:54:32 +00:00
// SyncPausedCh returns either a channel or nil. If nil sync is not paused. If
Add -sidecar-for and new /agent/service/:service_id endpoint (#4691) - A new endpoint `/v1/agent/service/:service_id` which is a generic way to look up the service for a single instance. The primary value here is that it: - **supports hash-based blocking** and so; - **replaces `/agent/connect/proxy/:proxy_id`** as the mechanism the built-in proxy uses to read its config. - It's not proxy specific and so works for any service. - It has a temporary shim to call through to the existing endpoint to preserve current managed proxy config defaulting behaviour until that is removed entirely (tested). - The built-in proxy now uses the new endpoint exclusively for it's config - The built-in proxy now has a `-sidecar-for` flag that allows the service ID of the _target_ service to be specified, on the condition that there is exactly one "sidecar" proxy (that is one that has `Proxy.DestinationServiceID` set) for the service registered. - Several fixes for edge cases for SidecarService - A fix for `Alias` checks - when running locally they didn't update their state until some external thing updated the target. If the target service has no checks registered as below, then the alias never made it past critical.
2018-09-27 14:00:51 +00:00
// non-nil, the channel will be closed when sync resumes.
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
func (a *Agent) SyncPausedCh() <-chan struct{} {
Add -sidecar-for and new /agent/service/:service_id endpoint (#4691) - A new endpoint `/v1/agent/service/:service_id` which is a generic way to look up the service for a single instance. The primary value here is that it: - **supports hash-based blocking** and so; - **replaces `/agent/connect/proxy/:proxy_id`** as the mechanism the built-in proxy uses to read its config. - It's not proxy specific and so works for any service. - It has a temporary shim to call through to the existing endpoint to preserve current managed proxy config defaulting behaviour until that is removed entirely (tested). - The built-in proxy now uses the new endpoint exclusively for it's config - The built-in proxy now has a `-sidecar-for` flag that allows the service ID of the _target_ service to be specified, on the condition that there is exactly one "sidecar" proxy (that is one that has `Proxy.DestinationServiceID` set) for the service registered. - Several fixes for edge cases for SidecarService - A fix for `Alias` checks - when running locally they didn't update their state until some external thing updated the target. If the target service has no checks registered as below, then the alias never made it past critical.
2018-09-27 14:00:51 +00:00
a.syncMu.Lock()
defer a.syncMu.Unlock()
return a.syncCh
agent: adding ability to reload services and checks
2014-02-07 20:19:56 +00:00
}
Adds open source side of network segments (feature is Enterprise-only).
2017-08-14 14:36:07 +00:00
// GetLANCoordinate returns the coordinates of this node in the local pools
// (assumes coordinates are enabled, so check that before calling).
func (a *Agent) GetLANCoordinate() (lib.CoordinateSet, error) {
agent: Replace client/server with delegate interface This patch adds a new internal interface clientServer which defines the common methods of consul.Client and consul.Server. This allows to replace the following code if a.server != nil { a.server.do() } else { a.client.do() } with a.delegate.do() In case a specific type is required a type check can be performed: if srv, ok := a.delegate.(*consul.Server); ok { srv.doSrv() }
2017-05-15 14:05:17 +00:00
return a.delegate.GetLANCoordinate()
Makes the default protocol 2 and lets 3 interoperate with 2.
2015-10-16 02:28:31 +00:00
}
Does a clean up pass on the Consul side.
2015-06-06 03:31:33 +00:00
// sendCoordinate is a long-running loop that periodically sends our coordinate
// to the server. Closing the agent's shutdownChannel will cause this to exit.
func (a *Agent) sendCoordinate() {
Adds open source side of network segments (feature is Enterprise-only).
2017-08-14 14:36:07 +00:00
OUTER:
Complete logic for sending coordinates
2015-04-15 23:12:45 +00:00
for {
Scales coordinate sends to hit a fixed aggregate rate across the cluster.
2015-06-30 19:02:05 +00:00
rate := a.config.SyncCoordinateRateTarget
min := a.config.SyncCoordinateIntervalMin
Factor out duplicate functions into a lib package Consolidate code duplication and tests into a single lib package. Most of these functions were from various **/util.go functions that couldn't be imported due to cyclic imports. The consul/lib package is intended to be a terminal node in an import DAG and a place to stash various consul-only helper functions. Pulled in hashicorp/go-uuid instead of consolidating UUID access.
2016-01-29 19:42:34 +00:00
intv := lib.RateScaledInterval(rate, min, len(a.LANMembers()))
intv = intv + lib.RandomStagger(intv)
Does a clean up pass on the Consul side.
2015-06-06 03:31:33 +00:00
Complete logic for sending coordinates
2015-04-15 23:12:45 +00:00
select {
Address comments
2015-04-29 01:47:41 +00:00
case <-time.After(intv):
Makes the version upshift code look at the correct version field.
2015-10-27 21:30:29 +00:00
members := a.LANMembers()
grok, err := consul.CanServersUnderstandProtocol(members, 3)
if err != nil {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Error("Failed to check servers", "error", err)
Makes the version upshift code look at the correct version field.
2015-10-27 21:30:29 +00:00
continue
}
if !grok {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Debug("Skipping coordinate updates until servers are upgraded")
Makes the default protocol 2 and lets 3 interoperate with 2.
2015-10-16 02:28:31 +00:00
continue
}
Adds open source side of network segments (feature is Enterprise-only).
2017-08-14 14:36:07 +00:00
cs, err := a.GetLANCoordinate()
Makes the version upshift code look at the correct version field.
2015-10-27 21:30:29 +00:00
if err != nil {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Error("Failed to get coordinate", "error", err)
Does some small cleanups based on PR feedback. * Holds coordinate updates in map and gets rid of the update channel. * Cleans up config variables a bit.
2015-06-29 22:53:29 +00:00
continue
}
Adds open source side of network segments (feature is Enterprise-only).
2017-08-14 14:36:07 +00:00
for segment, coord := range cs {
Add accessorID of token when ops are denied by ACL system (#7117) * agent: add and edit doc comments * agent: add ACL token accessorID to debugging traces * agent: polish acl debugging * agent: minor fix + string fmt over value interp * agent: undo export & fix logging field names * agent: remove note and migrate up to code review * Update agent/consul/acl.go Co-Authored-By: Matt Keeler <mkeeler@users.noreply.github.com> * agent: incorporate review feedback * Update agent/acl.go Co-Authored-By: R.B. Boyer <public@richardboyer.net> Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: R.B. Boyer <public@richardboyer.net>
2020-01-27 19:54:32 +00:00
agentToken := a.tokens.AgentToken()
Adds open source side of network segments (feature is Enterprise-only).
2017-08-14 14:36:07 +00:00
req := structs.CoordinateUpdateRequest{
Datacenter: a.config.Datacenter,
Node: a.config.NodeName,
Segment: segment,
Coord: coord,
Add accessorID of token when ops are denied by ACL system (#7117) * agent: add and edit doc comments * agent: add ACL token accessorID to debugging traces * agent: polish acl debugging * agent: minor fix + string fmt over value interp * agent: undo export & fix logging field names * agent: remove note and migrate up to code review * Update agent/consul/acl.go Co-Authored-By: Matt Keeler <mkeeler@users.noreply.github.com> * agent: incorporate review feedback * Update agent/acl.go Co-Authored-By: R.B. Boyer <public@richardboyer.net> Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: R.B. Boyer <public@richardboyer.net>
2020-01-27 19:54:32 +00:00
WriteRequest: structs.WriteRequest{Token: agentToken},
Adds open source side of network segments (feature is Enterprise-only).
2017-08-14 14:36:07 +00:00
}
var reply struct{}
Add accessorID of token when ops are denied by ACL system (#7117) * agent: add and edit doc comments * agent: add ACL token accessorID to debugging traces * agent: polish acl debugging * agent: minor fix + string fmt over value interp * agent: undo export & fix logging field names * agent: remove note and migrate up to code review * Update agent/consul/acl.go Co-Authored-By: Matt Keeler <mkeeler@users.noreply.github.com> * agent: incorporate review feedback * Update agent/acl.go Co-Authored-By: R.B. Boyer <public@richardboyer.net> Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: R.B. Boyer <public@richardboyer.net>
2020-01-27 19:54:32 +00:00
// todo(kit) port all of these logger calls to hclog w/ loglevel configuration
// todo(kit) handle acl.ErrNotFound cases here in the future
Adds open source side of network segments (feature is Enterprise-only).
2017-08-14 14:36:07 +00:00
if err := a.RPC("Coordinate.Update", &req, &reply); err != nil {
if acl.IsErrPermissionDenied(err) {
Add accessorID of token when ops are denied by ACL system (#7117) * agent: add and edit doc comments * agent: add ACL token accessorID to debugging traces * agent: polish acl debugging * agent: minor fix + string fmt over value interp * agent: undo export & fix logging field names * agent: remove note and migrate up to code review * Update agent/consul/acl.go Co-Authored-By: Matt Keeler <mkeeler@users.noreply.github.com> * agent: incorporate review feedback * Update agent/acl.go Co-Authored-By: R.B. Boyer <public@richardboyer.net> Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: R.B. Boyer <public@richardboyer.net>
2020-01-27 19:54:32 +00:00
accessorID := a.aclAccessorID(agentToken)
various tweaks on top of the hclog work (#7165)
2020-01-29 17:16:08 +00:00
a.logger.Warn("Coordinate update blocked by ACLs", "accessorID", accessorID)
Adds open source side of network segments (feature is Enterprise-only).
2017-08-14 14:36:07 +00:00
} else {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Error("Coordinate update error", "error", err)
Adds open source side of network segments (feature is Enterprise-only).
2017-08-14 14:36:07 +00:00
}
continue OUTER
Cleans up version 8 ACLs in the agent and the docs. (#3248) * Moves magic check and service constants into shared structs package. * Removes the "consul" service from local state. Since this service is added by the leader, it doesn't really make sense to also keep it in local state (which requires special ACLs to configure), and requires a bunch of special cases in the local state logic. This requires fewer special cases and makes ACL bootstrapping cleaner. * Makes coordinate update ACL log message a warning, similar to other AE warnings. * Adds much more detailed examples for bootstrapping ACLs. This can hopefully replace https://gist.github.com/slackpad/d89ce0e1cc0802c3c4f2d84932fa3234.
2017-07-14 05:33:47 +00:00
}
Complete logic for sending coordinates
2015-04-15 23:12:45 +00:00
}
Add a test case
2015-04-19 00:49:49 +00:00
case <-a.shutdownCh:
Complete logic for sending coordinates
2015-04-15 23:12:45 +00:00
return
}
Some fixes
2015-04-13 20:45:42 +00:00
}
Adding tests and stuff
2015-04-09 20:23:14 +00:00
}
Cleans up based on code review feedback.
2016-08-16 19:52:30 +00:00
// reapServicesInternal does a single pass, looking for services to reap.
func (a *Agent) reapServicesInternal() {
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
reaped := make(map[structs.ServiceID]bool)
for checkID, cs := range a.State.CriticalCheckStates(structs.WildcardEnterpriseMeta()) {
serviceID := cs.Check.CompoundServiceID()
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
2017-08-28 12:17:12 +00:00
Cleans up based on code review feedback.
2016-08-16 19:52:30 +00:00
// There's nothing to do if there's no service.
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
if serviceID.ID == "" {
Cleans up based on code review feedback.
2016-08-16 19:52:30 +00:00
continue
}
Adds ability to deregister a service based on critical check state longer than a timeout.
2016-08-16 07:05:55 +00:00
Cleans up based on code review feedback.
2016-08-16 19:52:30 +00:00
// There might be multiple checks for one service, so
// we don't need to reap multiple times.
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
2017-08-28 12:17:12 +00:00
if reaped[serviceID] {
Cleans up based on code review feedback.
2016-08-16 19:52:30 +00:00
continue
}
Adds ability to deregister a service based on critical check state longer than a timeout.
2016-08-16 07:05:55 +00:00
Cleans up based on code review feedback.
2016-08-16 19:52:30 +00:00
// See if there's a timeout.
Spelling (#3958) * spelling: another * spelling: autopilot * spelling: beginning * spelling: circonus * spelling: default * spelling: definition * spelling: distance * spelling: encountered * spelling: enterprise * spelling: expands * spelling: exits * spelling: formatting * spelling: health * spelling: hierarchy * spelling: imposed * spelling: independence * spelling: inspect * spelling: last * spelling: latest * spelling: client * spelling: message * spelling: minimum * spelling: notify * spelling: nonexistent * spelling: operator * spelling: payload * spelling: preceded * spelling: prepared * spelling: programmatically * spelling: required * spelling: reconcile * spelling: responses * spelling: request * spelling: response * spelling: results * spelling: retrieve * spelling: service * spelling: significantly * spelling: specifies * spelling: supported * spelling: synchronization * spelling: synchronous * spelling: themselves * spelling: unexpected * spelling: validations * spelling: value
2018-03-19 16:56:00 +00:00
// todo(fs): this looks fishy... why is there another data structure in the agent with its own lock?
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
a.stateLock.Lock()
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
2017-08-28 12:17:12 +00:00
timeout := a.checkReapAfter[checkID]
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
a.stateLock.Unlock()
Cleans up based on code review feedback.
2016-08-16 19:52:30 +00:00
// Reap, if necessary. We keep track of which service
// this is so that we won't try to remove it again.
local state: replace multi-map state with structs The state of the service and health check records was spread out over multiple maps guarded by a single lock. Access to the maps has to happen in a coordinated effort and the tests often violated this which made them brittle and racy. This patch replaces the multiple maps with a single one for both checks and services to make the code less fragile. This is also necessary since moving the local state into its own package creates circular dependencies for the tests. To avoid this the tests can no longer access internal data structures which they should not be doing in the first place. The tests still don't compile but this is a ncessary step in that direction.
2017-08-28 12:17:12 +00:00
if timeout > 0 && cs.CriticalFor() > timeout {
reaped[serviceID] = true
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
if err := a.RemoveService(serviceID); err != nil {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Error("unable to deregister service after check has been critical for too long",
"service", serviceID.String(),
"check", checkID.String(),
"error", err)
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
} else {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Info("Check for service has been critical for too long; deregistered service",
"service", serviceID.String(),
"check", checkID.String(),
)
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
}
Adds ability to deregister a service based on critical check state longer than a timeout.
2016-08-16 07:05:55 +00:00
}
}
Cleans up based on code review feedback.
2016-08-16 19:52:30 +00:00
}
Adds ability to deregister a service based on critical check state longer than a timeout.
2016-08-16 07:05:55 +00:00
Cleans up based on code review feedback.
2016-08-16 19:52:30 +00:00
// reapServices is a long running goroutine that looks for checks that have been
Add deregister critical service field and refactor duration parsing
2017-10-26 02:17:41 +00:00
// critical too long and deregisters their associated services.
Cleans up based on code review feedback.
2016-08-16 19:52:30 +00:00
func (a *Agent) reapServices() {
Adds ability to deregister a service based on critical check state longer than a timeout.
2016-08-16 07:05:55 +00:00
for {
select {
case <-time.After(a.config.CheckReapInterval):
Cleans up based on code review feedback.
2016-08-16 19:52:30 +00:00
a.reapServicesInternal()
Adds ability to deregister a service based on critical check state longer than a timeout.
2016-08-16 07:05:55 +00:00
case <-a.shutdownCh:
return
}
}
}
agent: move structs into consul/structs pkg * CheckDefinition * ServiceDefinition * CheckType
2017-06-15 16:46:06 +00:00
// persistedService is used to wrap a service definition and bundle it
// with an ACL token so we can restore both at a later agent start.
type persistedService struct {
Token string
Service *structs.NodeService
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
Source string
agent: move structs into consul/structs pkg * CheckDefinition * ServiceDefinition * CheckType
2017-06-15 16:46:06 +00:00
}
agent: first pass at local service and check persistence
2014-11-24 08:36:03 +00:00
// persistService saves a service definition to a JSON file in the data dir
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
func (a *Agent) persistService(service *structs.NodeService, source configSource) error {
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
svcID := service.CompoundServiceID()
svcPath := filepath.Join(a.config.DataDir, servicesDir, svcID.StringHash())
Call fsync() for saving check/service state
2016-11-07 18:51:03 +00:00
agent: allow persisted services to be updated on disk
2015-05-06 05:08:03 +00:00
wrapped := persistedService{
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
Token: a.State.ServiceToken(service.CompoundServiceID()),
agent: allow persisted services to be updated on disk
2015-05-06 05:08:03 +00:00
Service: service,
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
Source: source.String(),
agent: allow persisted services to be updated on disk
2015-05-06 05:08:03 +00:00
}
encoded, err := json.Marshal(wrapped)
if err != nil {
Fixes some bad error returns in the persist service and check paths.
2016-04-26 22:03:26 +00:00
return err
agent: allow persisted services to be updated on disk
2015-05-06 05:08:03 +00:00
}
Call fsync() for saving check/service state
2016-11-07 18:51:03 +00:00
agent/proxy: write pid file whenever the daemon process changes
2018-05-03 20:56:42 +00:00
return file.WriteAtomic(svcPath, encoded)
agent: first pass at local service and check persistence
2014-11-24 08:36:03 +00:00
}
// purgeService removes a persisted service definition file from the data dir
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
func (a *Agent) purgeService(serviceID structs.ServiceID) error {
svcPath := filepath.Join(a.config.DataDir, servicesDir, serviceID.StringHash())
agent: first pass at local service and check persistence
2014-11-24 08:36:03 +00:00
if _, err := os.Stat(svcPath); err == nil {
return os.Remove(svcPath)
}
return nil
}
// persistCheck saves a check definition to the local agent's state directory
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
func (a *Agent) persistCheck(check *structs.HealthCheck, chkType *structs.CheckType, source configSource) error {
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
cid := check.CompoundCheckID()
checkPath := filepath.Join(a.config.DataDir, checksDir, cid.StringHash())
agent: persist CheckType with health checks
2014-11-29 20:25:01 +00:00
// Create the persisted check
agent: restore tokens for services and checks in config
2015-04-28 19:44:46 +00:00
wrapped := persistedCheck{
Check: check,
ChkType: chkType,
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
Token: a.State.CheckToken(check.CompoundCheckID()),
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
Source: source.String(),
agent: restore tokens for services and checks in config
2015-04-28 19:44:46 +00:00
}
agent: persist CheckType with health checks
2014-11-29 20:25:01 +00:00
agent: restore tokens for services and checks in config
2015-04-28 19:44:46 +00:00
encoded, err := json.Marshal(wrapped)
agent: persist CheckType with health checks
2014-11-29 20:25:01 +00:00
if err != nil {
Fixes some bad error returns in the persist service and check paths.
2016-04-26 22:03:26 +00:00
return err
agent: persist CheckType with health checks
2014-11-29 20:25:01 +00:00
}
Call fsync() for saving check/service state
2016-11-07 18:51:03 +00:00
agent/proxy: write pid file whenever the daemon process changes
2018-05-03 20:56:42 +00:00
return file.WriteAtomic(checkPath, encoded)
agent: first pass at local service and check persistence
2014-11-24 08:36:03 +00:00
}
// purgeCheck removes a persisted check definition file from the data dir
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
func (a *Agent) purgeCheck(checkID structs.CheckID) error {
checkPath := filepath.Join(a.config.DataDir, checksDir, checkID.StringHash())
agent: first pass at local service and check persistence
2014-11-24 08:36:03 +00:00
if _, err := os.Stat(checkPath); err == nil {
return os.Remove(checkPath)
}
return nil
}
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
// persistedServiceConfig is used to serialize the resolved service config that
// feeds into the ServiceManager at registration time so that it may be
// restored later on.
type persistedServiceConfig struct {
ServiceID string
Defaults *structs.ServiceConfigResponse
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
structs.EnterpriseMeta
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
}
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
func (a *Agent) persistServiceConfig(serviceID structs.ServiceID, defaults *structs.ServiceConfigResponse) error {
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
// Create the persisted config.
wrapped := persistedServiceConfig{
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
ServiceID: serviceID.ID,
Defaults: defaults,
EnterpriseMeta: serviceID.EnterpriseMeta,
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
}
encoded, err := json.Marshal(wrapped)
if err != nil {
return err
}
dir := filepath.Join(a.config.DataDir, serviceConfigDir)
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
configPath := filepath.Join(dir, serviceID.StringHash())
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
// Create the config dir if it doesn't exist
if err := os.MkdirAll(dir, 0700); err != nil {
return fmt.Errorf("failed creating service configs dir %q: %s", dir, err)
}
return file.WriteAtomic(configPath, encoded)
}
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
func (a *Agent) purgeServiceConfig(serviceID structs.ServiceID) error {
configPath := filepath.Join(a.config.DataDir, serviceConfigDir, serviceID.StringHash())
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
if _, err := os.Stat(configPath); err == nil {
return os.Remove(configPath)
}
return nil
}
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
func (a *Agent) readPersistedServiceConfigs() (map[structs.ServiceID]*structs.ServiceConfigResponse, error) {
out := make(map[structs.ServiceID]*structs.ServiceConfigResponse)
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
configDir := filepath.Join(a.config.DataDir, serviceConfigDir)
files, err := ioutil.ReadDir(configDir)
if err != nil {
if os.IsNotExist(err) {
return nil, nil
}
return nil, fmt.Errorf("Failed reading service configs dir %q: %s", configDir, err)
}
for _, fi := range files {
// Skip all dirs
if fi.IsDir() {
continue
}
// Skip all partially written temporary files
if strings.HasSuffix(fi.Name(), "tmp") {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Warn("Ignoring temporary service config file", "file", fi.Name())
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
continue
}
// Read the contents into a buffer
file := filepath.Join(configDir, fi.Name())
buf, err := ioutil.ReadFile(file)
if err != nil {
return nil, fmt.Errorf("failed reading service config file %q: %s", file, err)
}
// Try decoding the service config definition
var p persistedServiceConfig
if err := json.Unmarshal(buf, &p); err != nil {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Error("Failed decoding service config file",
"file", file,
"error", err,
)
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
continue
}
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
out[structs.NewServiceID(p.ServiceID, &p.EnterpriseMeta)] = p.Defaults
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
}
return out, nil
}
Add option to register services and their checks idempotently (#4905)
2019-09-02 15:38:29 +00:00
// AddServiceAndReplaceChecks is used to add a service entry and its check. Any check for this service missing from chkTypes will be deleted.
// This entry is persistent and the agent will make a best effort to
// ensure it is registered
func (a *Agent) AddServiceAndReplaceChecks(service *structs.NodeService, chkTypes []*structs.CheckType, persist bool, token string, source configSource) error {
a.stateLock.Lock()
defer a.stateLock.Unlock()
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
return a.addServiceLocked(&addServiceRequest{
service: service,
chkTypes: chkTypes,
previousDefaults: nil,
waitForCentralConfig: true,
persist: persist,
persistServiceConfig: true,
token: token,
replaceExistingChecks: true,
source: source,
agent: when enable_central_service_config is enabled ensure agent reload doesn't revert check state to critical (#8747) Likely introduced when #7345 landed.
2020-09-24 21:24:04 +00:00
snap: a.snapshotCheckState(),
})
Add option to register services and their checks idempotently (#4905)
2019-09-02 15:38:29 +00:00
}
agent: Adding methods to register services and checks
2014-01-30 21:39:02 +00:00
// AddService is used to add a service entry.
// This entry is persistent and the agent will make a best effort to
// ensure it is registered
[Security] Add finer control over script checks (#4715) * Add -enable-local-script-checks options These options allow for a finer control over when script checks are enabled by giving the option to only allow them when they are declared from the local file system. * Add documentation for the new option * Nitpick doc wording
2018-10-11 12:22:11 +00:00
func (a *Agent) AddService(service *structs.NodeService, chkTypes []*structs.CheckType, persist bool, token string, source configSource) error {
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
a.stateLock.Lock()
defer a.stateLock.Unlock()
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
return a.addServiceLocked(&addServiceRequest{
service: service,
chkTypes: chkTypes,
previousDefaults: nil,
waitForCentralConfig: true,
persist: persist,
persistServiceConfig: true,
token: token,
replaceExistingChecks: false,
source: source,
agent: when enable_central_service_config is enabled ensure agent reload doesn't revert check state to critical (#8747) Likely introduced when #7345 landed.
2020-09-24 21:24:04 +00:00
snap: a.snapshotCheckState(),
})
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
}
Make central service config opt-in and rework the initial registration
2019-04-24 13:11:08 +00:00
// addServiceLocked adds a service entry to the service manager if enabled, or directly
// to the local state if it is not. This function assumes the state lock is already held.
agent: when enable_central_service_config is enabled ensure agent reload doesn't revert check state to critical (#8747) Likely introduced when #7345 landed.
2020-09-24 21:24:04 +00:00
func (a *Agent) addServiceLocked(req *addServiceRequest) error {
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
req.fixupForAddServiceLocked()
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
req.service.EnterpriseMeta.Normalize()
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
if err := a.validateService(req.service, req.chkTypes); err != nil {
Fill out the service manager functionality and fix tests
2019-04-23 06:39:02 +00:00
return err
agent: add default weights to service in local state to prevent AE churn (#5126) * Add default weights when adding a service with no weights to local state to prevent constant AE re-sync. This fix was contributed by @42wim in https://github.com/hashicorp/consul/pull/5096 but was merged against the wrong base. This adds it to master and adds a test to cover the behaviour. * Fix tests that broke due to comparing internal state which now has default weights
2019-01-08 10:13:49 +00:00
}
Make central service config opt-in and rework the initial registration
2019-04-24 13:11:08 +00:00
if a.config.EnableCentralServiceConfig {
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
return a.serviceManager.AddService(req)
agent: Warn on dns-incompatible characters during service registration. Fixes #683.
2015-02-09 17:22:51 +00:00
}
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
// previousDefaults are ignored here because they are only relevant for central config.
req.persistService = nil
req.persistDefaults = nil
req.persistServiceConfig = false
agent: when enable_central_service_config is enabled ensure agent reload doesn't revert check state to critical (#8747) Likely introduced when #7345 landed.
2020-09-24 21:24:04 +00:00
return a.addServiceInternal(req)
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
}
// addServiceRequest is the union of arguments for calling both
// addServiceLocked and addServiceInternal. The overlap was significant enough
// to warrant merging them and indicating which fields are meant to be set only
// in one of the two contexts.
//
// Before using the request struct one of the fixupFor*() methods should be
// invoked to clear irrelevant fields.
//
// The ServiceManager.AddService signature is largely just a passthrough for
// addServiceLocked and should be treated as such.
type addServiceRequest struct {
service *structs.NodeService
chkTypes []*structs.CheckType
previousDefaults *structs.ServiceConfigResponse // just for: addServiceLocked
waitForCentralConfig bool // just for: addServiceLocked
persistService *structs.NodeService // just for: addServiceInternal
persistDefaults *structs.ServiceConfigResponse // just for: addServiceInternal
persist bool
persistServiceConfig bool
token string
replaceExistingChecks bool
source configSource
agent: when enable_central_service_config is enabled ensure agent reload doesn't revert check state to critical (#8747) Likely introduced when #7345 landed.
2020-09-24 21:24:04 +00:00
snap map[structs.CheckID]*structs.HealthCheck
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
}
func (r *addServiceRequest) fixupForAddServiceLocked() {
r.persistService = nil
r.persistDefaults = nil
}
func (r *addServiceRequest) fixupForAddServiceInternal() {
r.previousDefaults = nil
r.waitForCentralConfig = false
Fill out the service manager functionality and fix tests
2019-04-23 06:39:02 +00:00
}
agent: warn on service tags with invalid chars
2015-02-09 17:30:06 +00:00
Make central service config opt-in and rework the initial registration
2019-04-24 13:11:08 +00:00
// addServiceInternal adds the given service and checks to the local state.
agent: when enable_central_service_config is enabled ensure agent reload doesn't revert check state to critical (#8747) Likely introduced when #7345 landed.
2020-09-24 21:24:04 +00:00
func (a *Agent) addServiceInternal(req *addServiceRequest) error {
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
req.fixupForAddServiceInternal()
var (
service = req.service
chkTypes = req.chkTypes
persistService = req.persistService
persistDefaults = req.persistDefaults
persist = req.persist
persistServiceConfig = req.persistServiceConfig
token = req.token
replaceExistingChecks = req.replaceExistingChecks
source = req.source
agent: when enable_central_service_config is enabled ensure agent reload doesn't revert check state to critical (#8747) Likely introduced when #7345 landed.
2020-09-24 21:24:04 +00:00
snap = req.snap
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
)
agent: restore check status when re-registering (updating) services
2015-05-06 19:28:42 +00:00
// Pause the service syncs during modification
a.PauseSync()
defer a.ResumeSync()
Add support for dual stack IPv4/IPv6 network (#6640) * Use consts for well known tagged adress keys * Add ipv4 and ipv6 tagged addresses for node lan and wan * Add ipv4 and ipv6 tagged addresses for service lan and wan * Use IPv4 and IPv6 address in DNS
2020-01-17 14:54:17 +00:00
// Set default tagged addresses
serviceIP := net.ParseIP(service.Address)
serviceAddressIs4 := serviceIP != nil && serviceIP.To4() != nil
serviceAddressIs6 := serviceIP != nil && serviceIP.To4() == nil
if service.TaggedAddresses == nil {
service.TaggedAddresses = map[string]structs.ServiceAddress{}
}
if _, ok := service.TaggedAddresses[structs.TaggedAddressLANIPv4]; !ok && serviceAddressIs4 {
service.TaggedAddresses[structs.TaggedAddressLANIPv4] = structs.ServiceAddress{Address: service.Address, Port: service.Port}
}
if _, ok := service.TaggedAddresses[structs.TaggedAddressWANIPv4]; !ok && serviceAddressIs4 {
service.TaggedAddresses[structs.TaggedAddressWANIPv4] = structs.ServiceAddress{Address: service.Address, Port: service.Port}
}
if _, ok := service.TaggedAddresses[structs.TaggedAddressLANIPv6]; !ok && serviceAddressIs6 {
service.TaggedAddresses[structs.TaggedAddressLANIPv6] = structs.ServiceAddress{Address: service.Address, Port: service.Port}
}
if _, ok := service.TaggedAddresses[structs.TaggedAddressWANIPv6]; !ok && serviceAddressIs6 {
service.TaggedAddresses[structs.TaggedAddressWANIPv6] = structs.ServiceAddress{Address: service.Address, Port: service.Port}
}
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
var checks []*structs.HealthCheck
agent: first pass at local service and check persistence
2014-11-24 08:36:03 +00:00
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
// all the checks must be associated with the same enterprise meta of the service
// so this map can just use the main CheckID for indexing
existingChecks := map[structs.CheckID]bool{}
for _, check := range a.State.ChecksForService(service.CompoundServiceID(), false) {
existingChecks[check.CompoundCheckID()] = false
Add option to register services and their checks idempotently (#4905)
2019-09-02 15:38:29 +00:00
}
agent: Adding methods to register services and checks
2014-01-30 21:39:02 +00:00
// Create an associated health check
agent: support multiple checks per service
2015-01-14 01:52:17 +00:00
for i, chkType := range chkTypes {
agent: support custom check id and name This patch adds support for a custom check id and name when registering a service. This is achieved by adding a CheckID and a Name field to the CheckType structure which is used to register checks with a service and when returning health check definitions. CheckDefinition is a superset of CheckType which duplicates some of the fields of CheckType. This patch decouples these two structures by removing the embedding of CheckType in CheckDefinition. Fixes #3047
2017-05-15 19:49:13 +00:00
checkID := string(chkType.CheckID)
if checkID == "" {
checkID = fmt.Sprintf("service:%s", service.ID)
if len(chkTypes) > 1 {
checkID += fmt.Sprintf(":%d", i+1)
}
}
Track the correct check id for idempotent service/check updates
2019-11-14 15:59:06 +00:00
agent/structs: Remove ServiceID.Init and CheckID.Init The Init method provided the same functionality as the New constructor. The constructor is both more widely used, and more idiomatic, so remove the Init method. This change is in preparation for fixing printing of these IDs.
2020-04-15 16:03:29 +00:00
cid := structs.NewCheckID(types.CheckID(checkID), &service.EnterpriseMeta)
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
existingChecks[cid] = true
Track the correct check id for idempotent service/check updates
2019-11-14 15:59:06 +00:00
agent: support custom check id and name This patch adds support for a custom check id and name when registering a service. This is achieved by adding a CheckID and a Name field to the CheckType structure which is used to register checks with a service and when returning health check definitions. CheckDefinition is a superset of CheckType which duplicates some of the fields of CheckType. This patch decouples these two structures by removing the embedding of CheckType in CheckDefinition. Fixes #3047
2017-05-15 19:49:13 +00:00
name := chkType.Name
if name == "" {
name = fmt.Sprintf("Service '%s' check", service.Service)
agent: support multiple checks per service
2015-01-14 01:52:17 +00:00
}
agent: Adding methods to register services and checks
2014-01-30 21:39:02 +00:00
check := &structs.HealthCheck{
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
Node: a.config.NodeName,
CheckID: types.CheckID(checkID),
Name: name,
Status: api.HealthCritical,
Notes: chkType.Notes,
ServiceID: service.ID,
ServiceName: service.Service,
ServiceTags: service.Tags,
Type: chkType.Type(),
EnterpriseMeta: service.EnterpriseMeta,
agent: Adding methods to register services and checks
2014-01-30 21:39:02 +00:00
}
Allow specifying a status field in the agent/service/register and agent/check/register endpoints. This status must be one of the valid check statuses: 'passing', 'warning', 'critical', 'unknown'. If the status field is not present or the empty string, the default of 'critical' is used.
2015-04-12 00:53:48 +00:00
if chkType.Status != "" {
check.Status = chkType.Status
}
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
agent: avoid reverting any check updates that occur while a service is being added or the config is reloaded (#6144)
2019-07-17 19:06:50 +00:00
// Restore the fields from the snapshot.
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
prev, ok := snap[cid]
agent: avoid reverting any check updates that occur while a service is being added or the config is reloaded (#6144)
2019-07-17 19:06:50 +00:00
if ok {
check.Output = prev.Output
check.Status = prev.Status
}
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
checks = append(checks, check)
}
// cleanup, store the ids of services and checks that weren't previously
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
// registered so we clean them up if something fails halfway through the
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
// process.
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
var cleanupServices []structs.ServiceID
var cleanupChecks []structs.CheckID
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
sid := service.CompoundServiceID()
if s := a.State.Service(sid); s == nil {
cleanupServices = append(cleanupServices, sid)
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
}
for _, check := range checks {
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
cid := check.CompoundCheckID()
if c := a.State.Check(cid); c == nil {
cleanupChecks = append(cleanupChecks, cid)
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
}
}
err := a.State.AddServiceWithChecks(service, checks, token)
if err != nil {
a.cleanupRegistration(cleanupServices, cleanupChecks)
return err
}
for i := range checks {
Fix a bunch of unparam lint issues
2020-06-23 17:18:22 +00:00
if err := a.addCheck(checks[i], chkTypes[i], service, token, source); err != nil {
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
a.cleanupRegistration(cleanupServices, cleanupChecks)
return err
}
if persist && a.config.DataDir != "" {
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
if err := a.persistCheck(checks[i], chkTypes[i], source); err != nil {
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
a.cleanupRegistration(cleanupServices, cleanupChecks)
return err
}
}
}
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
// If a proxy service wishes to expose checks, check targets need to be rerouted to the proxy listener
// This needs to be called after chkTypes are added to the agent, to avoid being overwritten
agent/structs: Remove ServiceID.Init and CheckID.Init The Init method provided the same functionality as the New constructor. The constructor is both more widely used, and more idiomatic, so remove the Init method. This change is in preparation for fixing printing of these IDs.
2020-04-15 16:03:29 +00:00
psid := structs.NewServiceID(service.Proxy.DestinationServiceID, &service.EnterpriseMeta)
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
if service.Proxy.Expose.Checks {
agent: rewrite checks with proxy address, not local service address (#7518) Exposing checks is supposed to allow a Consul agent bound to a different IP address (e.g., in a different Kubernetes pod) to access healthchecks through the proxy while the underlying service binds to localhost. This is an important security feature that makes sure no external traffic reaches the service except through the proxy. However, as far as I can tell, this is subtly broken in the case where the Consul agent cannot reach the proxy over localhost. If a proxy is configured with: `{ LocalServiceAddress: "127.0.0.1", Checks: true }`, as is typical with a sidecar proxy, the Consul checks are currently rewritten to `127.0.0.1:<random port>`. A Consul agent that does not share the loopback address cannot reach this address. Just to make sure I was not misunderstanding, I tried configuring the proxy with `{ LocalServiceAddress: "<pod ip>", Checks: true }`. In this case, while the checks are rewritten as expected and the agent can reach the dynamic port, the proxy can no longer reach its backend because the traffic is no longer on the loopback interface. I think rewriting the checks to use `proxy.Address`, the proxy's own address, is more correct in this case. That is the IP where the proxy can be reached, both by other proxies and by a Consul agent running on a different IP. The local service address should continue to use `127.0.0.1` in most cases.
2020-04-02 07:35:43 +00:00
err := a.rerouteExposedChecks(psid, service.Address)
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
if err != nil {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Warn("failed to reroute L7 checks to exposed proxy listener")
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
}
} else {
// Reset check targets if proxy was re-registered but no longer wants to expose checks
// If the proxy is being registered for the first time then this is a no-op
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
a.resetExposedChecks(psid)
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
}
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
if persistServiceConfig && a.config.DataDir != "" {
var err error
if persistDefaults != nil {
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
err = a.persistServiceConfig(service.CompoundServiceID(), persistDefaults)
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
} else {
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
err = a.purgeServiceConfig(service.CompoundServiceID())
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
}
if err != nil {
a.cleanupRegistration(cleanupServices, cleanupChecks)
return err
}
}
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
// Persist the service to a file
if persist && a.config.DataDir != "" {
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
if persistService == nil {
persistService = service
}
if err := a.persistService(persistService, source); err != nil {
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
a.cleanupRegistration(cleanupServices, cleanupChecks)
agent: Adding methods to register services and checks
2014-01-30 21:39:02 +00:00
return err
}
}
Add SidecarService Syntax sugar to Service Definition (#4686) * Added new Config for SidecarService in ServiceDefinitions. * WIP: all the code needed for SidecarService is written... none of it is tested other than config :). Need API updates too. * Test coverage for the new sidecarServiceFromNodeService method. * Test API registratrion with SidecarService * Recursive Key Translation :facepalm: * Add tests for nested sidecar defintion arrays to ensure they are translated correctly * Use dedicated internal state rather than Service Meta for tracking sidecars for deregistration. Add tests for deregistration. * API struct for agent register. No other endpoint should be affected yet. * Additional test cases to cover updates to API registrations
2018-09-27 13:33:12 +00:00
Add option to register services and their checks idempotently (#4905)
2019-09-02 15:38:29 +00:00
if replaceExistingChecks {
for checkID, keep := range existingChecks {
if !keep {
a.removeCheckLocked(checkID, persist)
}
}
}
agent: Adding methods to register services and checks
2014-01-30 21:39:02 +00:00
return nil
}
Fill out the service manager functionality and fix tests
2019-04-23 06:39:02 +00:00
// validateService validates an service and its checks, either returning an error or emitting a
// warning based on the nature of the error.
func (a *Agent) validateService(service *structs.NodeService, chkTypes []*structs.CheckType) error {
if service.Service == "" {
return fmt.Errorf("Service name missing")
}
if service.ID == "" && service.Service != "" {
service.ID = service.Service
}
for _, check := range chkTypes {
if err := check.Validate(); err != nil {
return fmt.Errorf("Check is not valid: %v", err)
}
}
// Set default weights if not specified. This is important as it ensures AE
// doesn't consider the service different since it has nil weights.
if service.Weights == nil {
service.Weights = &structs.Weights{Passing: 1, Warning: 1}
}
// Warn if the service name is incompatible with DNS
config: move NodeName validation to config validation Previsouly it was done in Agent.Start, which is much later then it needs to be. The new 'dns' package was required, because otherwise there would be an import cycle. In the future we should move more of the dns server into the dns package.
2020-08-17 21:24:49 +00:00
if dns.InvalidNameRe.MatchString(service.Service) {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Warn("Service name will not be discoverable "+
Fill out the service manager functionality and fix tests
2019-04-23 06:39:02 +00:00
"via DNS due to invalid characters. Valid characters include "+
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
"all alpha-numerics and dashes.",
"service", service.Service,
)
config: move NodeName validation to config validation Previsouly it was done in Agent.Start, which is much later then it needs to be. The new 'dns' package was required, because otherwise there would be an import cycle. In the future we should move more of the dns server into the dns package.
2020-08-17 21:24:49 +00:00
} else if len(service.Service) > dns.MaxLabelLength {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Warn("Service name will not be discoverable "+
Fill out the service manager functionality and fix tests
2019-04-23 06:39:02 +00:00
"via DNS due to it being too long. Valid lengths are between "+
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
"1 and 63 bytes.",
"service", service.Service,
)
Fill out the service manager functionality and fix tests
2019-04-23 06:39:02 +00:00
}
// Warn if any tags are incompatible with DNS
for _, tag := range service.Tags {
config: move NodeName validation to config validation Previsouly it was done in Agent.Start, which is much later then it needs to be. The new 'dns' package was required, because otherwise there would be an import cycle. In the future we should move more of the dns server into the dns package.
2020-08-17 21:24:49 +00:00
if dns.InvalidNameRe.MatchString(tag) {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Debug("Service tag will not be discoverable "+
Fill out the service manager functionality and fix tests
2019-04-23 06:39:02 +00:00
"via DNS due to invalid characters. Valid characters include "+
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
"all alpha-numerics and dashes.",
"tag", tag,
)
config: move NodeName validation to config validation Previsouly it was done in Agent.Start, which is much later then it needs to be. The new 'dns' package was required, because otherwise there would be an import cycle. In the future we should move more of the dns server into the dns package.
2020-08-17 21:24:49 +00:00
} else if len(tag) > dns.MaxLabelLength {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Debug("Service tag will not be discoverable "+
Fill out the service manager functionality and fix tests
2019-04-23 06:39:02 +00:00
"via DNS due to it being too long. Valid lengths are between "+
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
"1 and 63 bytes.",
"tag", tag,
)
Fill out the service manager functionality and fix tests
2019-04-23 06:39:02 +00:00
}
}
Add support for dual stack IPv4/IPv6 network (#6640) * Use consts for well known tagged adress keys * Add ipv4 and ipv6 tagged addresses for node lan and wan * Add ipv4 and ipv6 tagged addresses for service lan and wan * Use IPv4 and IPv6 address in DNS
2020-01-17 14:54:17 +00:00
// Check IPv4/IPv6 tagged addresses
if service.TaggedAddresses != nil {
if sa, ok := service.TaggedAddresses[structs.TaggedAddressLANIPv4]; ok {
ip := net.ParseIP(sa.Address)
if ip == nil || ip.To4() == nil {
return fmt.Errorf("Service tagged address %q must be a valid ipv4 address", structs.TaggedAddressLANIPv4)
}
}
if sa, ok := service.TaggedAddresses[structs.TaggedAddressWANIPv4]; ok {
ip := net.ParseIP(sa.Address)
if ip == nil || ip.To4() == nil {
return fmt.Errorf("Service tagged address %q must be a valid ipv4 address", structs.TaggedAddressWANIPv4)
}
}
if sa, ok := service.TaggedAddresses[structs.TaggedAddressLANIPv6]; ok {
ip := net.ParseIP(sa.Address)
if ip == nil || ip.To4() != nil {
return fmt.Errorf("Service tagged address %q must be a valid ipv6 address", structs.TaggedAddressLANIPv6)
}
}
if sa, ok := service.TaggedAddresses[structs.TaggedAddressLANIPv6]; ok {
ip := net.ParseIP(sa.Address)
if ip == nil || ip.To4() != nil {
return fmt.Errorf("Service tagged address %q must be a valid ipv6 address", structs.TaggedAddressLANIPv6)
}
}
}
Fill out the service manager functionality and fix tests
2019-04-23 06:39:02 +00:00
return nil
}
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
// cleanupRegistration is called on registration error to ensure no there are no
// leftovers after a partial failure
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
func (a *Agent) cleanupRegistration(serviceIDs []structs.ServiceID, checksIDs []structs.CheckID) {
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
for _, s := range serviceIDs {
if err := a.State.RemoveService(s); err != nil {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Error("failed to remove service during cleanup",
"service", s.String(),
"error", err,
)
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
}
if err := a.purgeService(s); err != nil {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Error("failed to purge service file during cleanup",
"service", s.String(),
"error", err,
)
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
}
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
if err := a.purgeServiceConfig(s); err != nil {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Error("failed to purge service config file during cleanup",
"service", s,
"error", err,
)
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
}
agent: remove service sidecars in Agent.cleanupRegistration (#7022) Sidecar proxies were left behind when cleaning up after an unsuccessful registration. There are now also removed when the service is cleanup up.
2020-01-20 13:01:40 +00:00
if err := a.removeServiceSidecars(s, true); err != nil {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Error("service registration: cleanup: failed remove sidecars for", "service", s, "error", err)
agent: remove service sidecars in Agent.cleanupRegistration (#7022) Sidecar proxies were left behind when cleaning up after an unsuccessful registration. There are now also removed when the service is cleanup up.
2020-01-20 13:01:40 +00:00
}
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
}
for _, c := range checksIDs {
a.cancelCheckMonitors(c)
if err := a.State.RemoveCheck(c); err != nil {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Error("failed to remove check during cleanup",
"check", c.String(),
"error", err,
)
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
}
if err := a.purgeCheck(c); err != nil {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Error("failed to purge check file during cleanup",
"check", c.String(),
"error", err,
)
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
}
}
}
agent: Adding methods to register services and checks
2014-01-30 21:39:02 +00:00
// RemoveService is used to remove a service entry.
// The agent will make a best effort to ensure it is deregistered
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
func (a *Agent) RemoveService(serviceID structs.ServiceID) error {
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
return a.removeService(serviceID, true)
}
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
func (a *Agent) removeService(serviceID structs.ServiceID, persist bool) error {
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
a.stateLock.Lock()
defer a.stateLock.Unlock()
return a.removeServiceLocked(serviceID, persist)
}
// removeServiceLocked is used to remove a service entry.
// The agent will make a best effort to ensure it is deregistered
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
func (a *Agent) removeServiceLocked(serviceID structs.ServiceID, persist bool) error {
Validate ServiceID/CheckID when deregistering.
2015-01-26 16:06:49 +00:00
// Validate ServiceID
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
if serviceID.ID == "" {
Validate ServiceID/CheckID when deregistering.
2015-01-26 16:06:49 +00:00
return fmt.Errorf("ServiceID missing")
}
Test an index=0 value in cache.Notify
2019-04-25 09:11:07 +00:00
// Shut down the config watch in the service manager if enabled.
if a.config.EnableCentralServiceConfig {
a.serviceManager.RemoveService(serviceID)
}
Fill out the service manager functionality and fix tests
2019-04-23 06:39:02 +00:00
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
// Reset the HTTP check targets if they were exposed through a proxy
// If this is not a proxy or checks were not exposed then this is a no-op
svc := a.State.Service(serviceID)
if svc != nil {
agent/structs: Remove ServiceID.Init and CheckID.Init The Init method provided the same functionality as the New constructor. The constructor is both more widely used, and more idiomatic, so remove the Init method. This change is in preparation for fixing printing of these IDs.
2020-04-15 16:03:29 +00:00
psid := structs.NewServiceID(svc.Proxy.DestinationServiceID, &svc.EnterpriseMeta)
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
a.resetExposedChecks(psid)
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
}
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
checks := a.State.ChecksForService(serviceID, false)
var checkIDs []structs.CheckID
for id := range checks {
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
checkIDs = append(checkIDs, id)
}
Fix a bunch of typos.
2015-09-15 12:22:08 +00:00
// Remove service immediately
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
if err := a.State.RemoveServiceWithChecks(serviceID, checkIDs); err != nil {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Warn("Failed to deregister service",
"service", serviceID.String(),
"error", err,
)
Improve logging when deregistering a nonexistent service (#2492) Log a warning instead of a success message when attempting to deregister a nonexistent service. In Consul 0.8 this can be changed to giving an error outright, but for now we can keep the idempotent delete behavior.
2016-11-09 21:56:54 +00:00
return nil
}
agent: Adding methods to register services and checks
2014-01-30 21:39:02 +00:00
agent: first pass at local service and check persistence
2014-11-24 08:36:03 +00:00
// Remove the service from the data dir
agent: allow config reload to modify checks/services persistence This change consolidates loading services and checks from both config and persisted state into methods on the agent. As part of this, we introduce optional persistence when calling RemoveCheck/RemoveService. Fixes a bug where config reloads would kill persisted services/checks. Also fixes an edge case: 1. A service or check is registered via the HTTP API 2. A new service or check definition with the same ID is added to config 3. Config is reloaded The desired behavior (which this implements) is: 1. All services and checks deregistered in memory 2. All services and checks in config are registered first 3. All persisted checks are restored using the same logic as the agent start sequence, which prioritizes config over persisted, and removes any persistence files if new config counterparts are present.
2014-11-26 07:58:02 +00:00
if persist {
if err := a.purgeService(serviceID); err != nil {
return err
}
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
if err := a.purgeServiceConfig(serviceID); err != nil {
return err
}
agent: first pass at local service and check persistence
2014-11-24 08:36:03 +00:00
}
agent: Adding methods to register services and checks
2014-01-30 21:39:02 +00:00
// Deregister any associated health checks
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
for checkID := range checks {
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
if err := a.removeCheckLocked(checkID, persist); err != nil {
agent: support multiple checks per service
2015-01-14 01:52:17 +00:00
return err
}
agent: test service and check unloading
2015-01-08 06:26:40 +00:00
}
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Debug("removed service", "service", serviceID.String())
Add SidecarService Syntax sugar to Service Definition (#4686) * Added new Config for SidecarService in ServiceDefinitions. * WIP: all the code needed for SidecarService is written... none of it is tested other than config :). Need API updates too. * Test coverage for the new sidecarServiceFromNodeService method. * Test API registratrion with SidecarService * Recursive Key Translation :facepalm: * Add tests for nested sidecar defintion arrays to ensure they are translated correctly * Use dedicated internal state rather than Service Meta for tracking sidecars for deregistration. Add tests for deregistration. * API struct for agent register. No other endpoint should be affected yet. * Additional test cases to cover updates to API registrations
2018-09-27 13:33:12 +00:00
// If any Sidecar services exist for the removed service ID, remove them too.
agent: remove service sidecars in Agent.cleanupRegistration (#7022) Sidecar proxies were left behind when cleaning up after an unsuccessful registration. There are now also removed when the service is cleanup up.
2020-01-20 13:01:40 +00:00
return a.removeServiceSidecars(serviceID, persist)
}
func (a *Agent) removeServiceSidecars(serviceID structs.ServiceID, persist bool) error {
agent/structs: Remove ServiceID.Init and CheckID.Init The Init method provided the same functionality as the New constructor. The constructor is both more widely used, and more idiomatic, so remove the Init method. This change is in preparation for fixing printing of these IDs.
2020-04-15 16:03:29 +00:00
sidecarSID := structs.NewServiceID(a.sidecarServiceID(serviceID.ID), &serviceID.EnterpriseMeta)
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
if sidecar := a.State.Service(sidecarSID); sidecar != nil {
Add SidecarService Syntax sugar to Service Definition (#4686) * Added new Config for SidecarService in ServiceDefinitions. * WIP: all the code needed for SidecarService is written... none of it is tested other than config :). Need API updates too. * Test coverage for the new sidecarServiceFromNodeService method. * Test API registratrion with SidecarService * Recursive Key Translation :facepalm: * Add tests for nested sidecar defintion arrays to ensure they are translated correctly * Use dedicated internal state rather than Service Meta for tracking sidecars for deregistration. Add tests for deregistration. * API struct for agent register. No other endpoint should be affected yet. * Additional test cases to cover updates to API registrations
2018-09-27 13:33:12 +00:00
// Double check that it's not just an ID collision and we actually added
// this from a sidecar.
if sidecar.LocallyRegisteredAsSidecar {
// Remove it!
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
err := a.removeServiceLocked(sidecarSID, persist)
Add SidecarService Syntax sugar to Service Definition (#4686) * Added new Config for SidecarService in ServiceDefinitions. * WIP: all the code needed for SidecarService is written... none of it is tested other than config :). Need API updates too. * Test coverage for the new sidecarServiceFromNodeService method. * Test API registratrion with SidecarService * Recursive Key Translation :facepalm: * Add tests for nested sidecar defintion arrays to ensure they are translated correctly * Use dedicated internal state rather than Service Meta for tracking sidecars for deregistration. Add tests for deregistration. * API struct for agent register. No other endpoint should be affected yet. * Additional test cases to cover updates to API registrations
2018-09-27 13:33:12 +00:00
if err != nil {
return err
}
}
}
agent: test service and check unloading
2015-01-08 06:26:40 +00:00
return nil
agent: Adding methods to register services and checks
2014-01-30 21:39:02 +00:00
}
// AddCheck is used to add a health check to the agent.
// This entry is persistent and the agent will make a best effort to
// ensure it is registered. The Check may include a CheckType which
// is used to automatically update the check status
[Security] Add finer control over script checks (#4715) * Add -enable-local-script-checks options These options allow for a finer control over when script checks are enabled by giving the option to only allow them when they are declared from the local file system. * Add documentation for the new option * Nitpick doc wording
2018-10-11 12:22:11 +00:00
func (a *Agent) AddCheck(check *structs.HealthCheck, chkType *structs.CheckType, persist bool, token string, source configSource) error {
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
a.stateLock.Lock()
defer a.stateLock.Unlock()
return a.addCheckLocked(check, chkType, persist, token, source)
}
func (a *Agent) addCheckLocked(check *structs.HealthCheck, chkType *structs.CheckType, persist bool, token string, source configSource) error {
var service *structs.NodeService
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
check.EnterpriseMeta.Normalize()
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
if check.ServiceID != "" {
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
cid := check.CompoundServiceID()
service = a.State.Service(cid)
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
if service == nil {
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
return fmt.Errorf("ServiceID %q does not exist", cid.String())
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
}
}
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
// Extra validations
if err := check.Validate(); err != nil {
return err
}
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
// snapshot the current state of the health check to avoid potential flapping
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
cid := check.CompoundCheckID()
existing := a.State.Check(cid)
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
defer func() {
if existing != nil {
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
a.State.UpdateCheck(cid, existing.Status, existing.Output)
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
}
}()
Fix a bunch of unparam lint issues
2020-06-23 17:18:22 +00:00
err := a.addCheck(check, chkType, service, token, source)
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
if err != nil {
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
a.State.RemoveCheck(cid)
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
return err
}
// Add to the local state for anti-entropy
err = a.State.AddCheck(check, token)
if err != nil {
return err
}
// Persist the check
if persist && a.config.DataDir != "" {
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
return a.persistCheck(check, chkType, source)
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
}
return nil
}
Fix a bunch of unparam lint issues
2020-06-23 17:18:22 +00:00
func (a *Agent) addCheck(check *structs.HealthCheck, chkType *structs.CheckType, service *structs.NodeService, token string, source configSource) error {
agent: Adding methods to register services and checks
2014-01-30 21:39:02 +00:00
if check.CheckID == "" {
return fmt.Errorf("CheckID missing")
}
Adds new config to make script checks opt-in, updates documentation. (#3284)
2017-07-17 18:20:35 +00:00
if chkType != nil {
Fixes agent error handling when check definition is invalid. Distingu… (#3560) * Fixes agent error handling when check definition is invalid. Distinguishes between empty checks vs invalid checks * Made CheckTypes return Checks from service definition struct rather than a new copy, and other changes from code review. This also errors when json payload contains empty structs * Simplify and improve validate method, and make sure that CheckTypes always returns a new copy of validated check definitions * Tweaks some small style things and error messages. * Updates the change log.
2017-10-10 23:54:06 +00:00
if err := chkType.Validate(); err != nil {
return fmt.Errorf("Check is not valid: %v", err)
Adds new config to make script checks opt-in, updates documentation. (#3284)
2017-07-17 18:20:35 +00:00
}
[Security] Add finer control over script checks (#4715) * Add -enable-local-script-checks options These options allow for a finer control over when script checks are enabled by giving the option to only allow them when they are declared from the local file system. * Add documentation for the new option * Nitpick doc wording
2018-10-11 12:22:11 +00:00
if chkType.IsScript() {
if source == ConfigSourceLocal && !a.config.EnableLocalScriptChecks {
return fmt.Errorf("Scripts are disabled on this agent; to enable, configure 'enable_script_checks' or 'enable_local_script_checks' to true")
}
if source == ConfigSourceRemote && !a.config.EnableRemoteScriptChecks {
return fmt.Errorf("Scripts are disabled on this agent from remote calls; to enable, configure 'enable_script_checks' to true")
}
Adds new config to make script checks opt-in, updates documentation. (#3284)
2017-07-17 18:20:35 +00:00
}
agent: Adding methods to register services and checks
2014-01-30 21:39:02 +00:00
}
agent: support multiple checks per service
2015-01-14 01:52:17 +00:00
if check.ServiceID != "" {
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
check.ServiceName = service.Service
check.ServiceTags = service.Tags
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
check.EnterpriseMeta = service.EnterpriseMeta
agent: support multiple checks per service
2015-01-14 01:52:17 +00:00
}
agent: Adding methods to register services and checks
2014-01-30 21:39:02 +00:00
// Check if already registered
if chkType != nil {
Support for maximum size for Output of checks (#5233) * Support for maximum size for Output of checks This PR allows users to limit the size of output produced by checks at the agent and check level. When set at the agent level, it will limit the output for all checks monitored by the agent. When set at the check level, it can override the agent max for a specific check but only if it is lower than the agent max. Default value is 4k, and input must be at least 1.
2019-06-26 15:43:25 +00:00
maxOutputSize := a.config.CheckOutputMaxSize
if maxOutputSize == 0 {
maxOutputSize = checks.DefaultBufSize
}
if chkType.OutputMaxSize > 0 && maxOutputSize > chkType.OutputMaxSize {
maxOutputSize = chkType.OutputMaxSize
}
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
// Get the address of the proxy for this service if it exists
// Need its config to know whether we should reroute checks to it
var proxy *structs.NodeService
if service != nil {
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
for _, svc := range a.State.Services(&service.EnterpriseMeta) {
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
if svc.Proxy.DestinationServiceID == service.ID {
proxy = svc
break
}
}
}
Checks to passing/critical only after reaching a consecutive success/failure threshold (#5739) A check may be set to become passing/critical only if a specified number of successive checks return passing/critical in a row. Status will stay identical as before until the threshold is reached. This feature is available for HTTP, TCP, gRPC, Docker & Monitor checks.
2019-10-14 20:49:49 +00:00
statusHandler := checks.NewStatusHandler(a.State, a.logger, chkType.SuccessBeforePassing, chkType.FailuresBeforeCritical)
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
sid := check.CompoundServiceID()
cid := check.CompoundCheckID()
Checks to passing/critical only after reaching a consecutive success/failure threshold (#5739) A check may be set to become passing/critical only if a specified number of successive checks return passing/critical in a row. Status will stay identical as before until the threshold is reached. This feature is available for HTTP, TCP, gRPC, Docker & Monitor checks.
2019-10-14 20:49:49 +00:00
agent: replace docker check This patch replaces the Docker client which is used for health checks with a simplified version tailored for that purpose. See #3254 See #3257 Fixes #3270
2017-07-12 14:01:42 +00:00
switch {
case chkType.IsTTL():
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
if existing, ok := a.checkTTLs[cid]; ok {
agent: Fix issues with re-registration. Fixes #216
2014-06-17 23:48:19 +00:00
existing.Stop()
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
delete(a.checkTTLs, cid)
agent: Adding methods to register services and checks
2014-01-30 21:39:02 +00:00
}
Decouple the code that executes checks from the agent
2017-10-25 09:18:07 +00:00
ttl := &checks.CheckTTL{
Support for maximum size for Output of checks (#5233) * Support for maximum size for Output of checks This PR allows users to limit the size of output produced by checks at the agent and check level. When set at the agent level, it will limit the output for all checks monitored by the agent. When set at the check level, it can override the agent max for a specific check but only if it is lower than the agent max. Default value is 4k, and input must be at least 1.
2019-06-26 15:43:25 +00:00
Notify: a.State,
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
CheckID: cid,
ServiceID: sid,
Support for maximum size for Output of checks (#5233) * Support for maximum size for Output of checks This PR allows users to limit the size of output produced by checks at the agent and check level. When set at the agent level, it will limit the output for all checks monitored by the agent. When set at the check level, it can override the agent max for a specific check but only if it is lower than the agent max. Default value is 4k, and input must be at least 1.
2019-06-26 15:43:25 +00:00
TTL: chkType.TTL,
Logger: a.logger,
OutputMaxSize: maxOutputSize,
agent: Adding methods to register services and checks
2014-01-30 21:39:02 +00:00
}
agent: first stab at persisting check state
2015-06-05 23:17:07 +00:00
// Restore persisted state, if any
agent: use persist/load/purge convention for function names
2015-06-08 16:35:10 +00:00
if err := a.loadCheckState(check); err != nil {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Warn("failed restoring state for check",
"check", cid.String(),
"error", err,
)
agent: first stab at persisting check state
2015-06-05 23:17:07 +00:00
}
agent: Adding methods to register services and checks
2014-01-30 21:39:02 +00:00
ttl.Start()
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
a.checkTTLs[cid] = ttl
agent: replace docker check This patch replaces the Docker client which is used for health checks with a simplified version tailored for that purpose. See #3254 See #3257 Fixes #3270
2017-07-12 14:01:42 +00:00
case chkType.IsHTTP():
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
if existing, ok := a.checkHTTPs[cid]; ok {
command/agent: Add simple HTTP check type These checks make an `HTTP GET` request every Interval to the specified URL. The status of the service depends on the HTTP Response Code. `200` is passing, `503` is warning and anything else is failing.
2015-01-09 22:43:24 +00:00
existing.Stop()
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
delete(a.checkHTTPs, cid)
command/agent: Add simple HTTP check type These checks make an `HTTP GET` request every Interval to the specified URL. The status of the service depends on the HTTP Response Code. `200` is passing, `503` is warning and anything else is failing.
2015-01-09 22:43:24 +00:00
}
Decouple the code that executes checks from the agent
2017-10-25 09:18:07 +00:00
if chkType.Interval < checks.MinInterval {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Warn("check has interval below minimum",
"check", cid.String(),
"minimum_interval", checks.MinInterval,
)
Decouple the code that executes checks from the agent
2017-10-25 09:18:07 +00:00
chkType.Interval = checks.MinInterval
command/agent: Add simple HTTP check type These checks make an `HTTP GET` request every Interval to the specified URL. The status of the service depends on the HTTP Response Code. `200` is passing, `503` is warning and anything else is failing.
2015-01-09 22:43:24 +00:00
}
agent: enable reloading of tls config (#5419) This PR introduces reloading tls configuration. Consul will now be able to reload the TLS configuration which previously required a restart. It is not yet possible to turn TLS ON or OFF with these changes. Only when TLS is already turned on, the configuration can be reloaded. Most importantly the certificates and CAs.
2019-03-13 09:29:06 +00:00
tlsClientConfig := a.tlsConfigurator.OutgoingTLSConfigForCheck(chkType.TLSSkipVerify)
Adds enable_agent_tls_for_checks configuration option which allows (#3661) HTTP health checks for services requiring 2-way TLS to be checked using the agent's credentials.
2017-11-08 02:22:09 +00:00
Decouple the code that executes checks from the agent
2017-10-25 09:18:07 +00:00
http := &checks.CheckHTTP{
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
CheckID: cid,
ServiceID: sid,
Adds enable_agent_tls_for_checks configuration option which allows (#3661) HTTP health checks for services requiring 2-way TLS to be checked using the agent's credentials.
2017-11-08 02:22:09 +00:00
HTTP: chkType.HTTP,
Header: chkType.Header,
Method: chkType.Method,
feat: support sending body in HTTP checks (#6602)
2020-02-10 16:27:12 +00:00
Body: chkType.Body,
Adds enable_agent_tls_for_checks configuration option which allows (#3661) HTTP health checks for services requiring 2-way TLS to be checked using the agent's credentials.
2017-11-08 02:22:09 +00:00
Interval: chkType.Interval,
Timeout: chkType.Timeout,
Logger: a.logger,
Support for maximum size for Output of checks (#5233) * Support for maximum size for Output of checks This PR allows users to limit the size of output produced by checks at the agent and check level. When set at the agent level, it will limit the output for all checks monitored by the agent. When set at the check level, it can override the agent max for a specific check but only if it is lower than the agent max. Default value is 4k, and input must be at least 1.
2019-06-26 15:43:25 +00:00
OutputMaxSize: maxOutputSize,
Adds enable_agent_tls_for_checks configuration option which allows (#3661) HTTP health checks for services requiring 2-way TLS to be checked using the agent's credentials.
2017-11-08 02:22:09 +00:00
TLSClientConfig: tlsClientConfig,
Checks to passing/critical only after reaching a consecutive success/failure threshold (#5739) A check may be set to become passing/critical only if a specified number of successive checks return passing/critical in a row. Status will stay identical as before until the threshold is reached. This feature is available for HTTP, TCP, gRPC, Docker & Monitor checks.
2019-10-14 20:49:49 +00:00
StatusHandler: statusHandler,
command/agent: Add simple HTTP check type These checks make an `HTTP GET` request every Interval to the specified URL. The status of the service depends on the HTTP Response Code. `200` is passing, `503` is warning and anything else is failing.
2015-01-09 22:43:24 +00:00
}
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
if proxy != nil && proxy.Proxy.Expose.Checks {
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
port, err := a.listenerPortLocked(sid, cid)
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
if err != nil {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Error("error exposing check",
"check", cid.String(),
"error", err,
)
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
return err
}
agent: rewrite checks with proxy address, not local service address (#7518) Exposing checks is supposed to allow a Consul agent bound to a different IP address (e.g., in a different Kubernetes pod) to access healthchecks through the proxy while the underlying service binds to localhost. This is an important security feature that makes sure no external traffic reaches the service except through the proxy. However, as far as I can tell, this is subtly broken in the case where the Consul agent cannot reach the proxy over localhost. If a proxy is configured with: `{ LocalServiceAddress: "127.0.0.1", Checks: true }`, as is typical with a sidecar proxy, the Consul checks are currently rewritten to `127.0.0.1:<random port>`. A Consul agent that does not share the loopback address cannot reach this address. Just to make sure I was not misunderstanding, I tried configuring the proxy with `{ LocalServiceAddress: "<pod ip>", Checks: true }`. In this case, while the checks are rewritten as expected and the agent can reach the dynamic port, the proxy can no longer reach its backend because the traffic is no longer on the loopback interface. I think rewriting the checks to use `proxy.Address`, the proxy's own address, is more correct in this case. That is the IP where the proxy can be reached, both by other proxies and by a Consul agent running on a different IP. The local service address should continue to use `127.0.0.1` in most cases.
2020-04-02 07:35:43 +00:00
http.ProxyHTTP = httpInjectAddr(http.HTTP, proxy.Address, port)
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
}
command/agent: Add simple HTTP check type These checks make an `HTTP GET` request every Interval to the specified URL. The status of the service depends on the HTTP Response Code. `200` is passing, `503` is warning and anything else is failing.
2015-01-09 22:43:24 +00:00
http.Start()
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
a.checkHTTPs[cid] = http
command/agent: Add simple HTTP check type These checks make an `HTTP GET` request every Interval to the specified URL. The status of the service depends on the HTTP Response Code. `200` is passing, `503` is warning and anything else is failing.
2015-01-09 22:43:24 +00:00
agent: replace docker check This patch replaces the Docker client which is used for health checks with a simplified version tailored for that purpose. See #3254 See #3257 Fixes #3270
2017-07-12 14:01:42 +00:00
case chkType.IsTCP():
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
if existing, ok := a.checkTCPs[cid]; ok {
Add TCP check type Adds the ability to simply check whether a TCP socket accepts connections to determine if it is healthy. This is a light-weight - though less comprehensive than scripting - method of checking network service health. The check parameter `tcp` should be set to the `address:port` combination for the service to be tested. Supports both IPv6 and IPv4, in the case of a hostname that resolves to both, connections will be attempted via both protocol versions, with the first successful connection returning a successful check result. Example check: ```json { "check": { "id": "ssh", "name": "SSH (TCP)", "tcp": "example.com:22", "interval": "10s" } } ```
2015-07-23 11:45:08 +00:00
existing.Stop()
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
delete(a.checkTCPs, cid)
Add TCP check type Adds the ability to simply check whether a TCP socket accepts connections to determine if it is healthy. This is a light-weight - though less comprehensive than scripting - method of checking network service health. The check parameter `tcp` should be set to the `address:port` combination for the service to be tested. Supports both IPv6 and IPv4, in the case of a hostname that resolves to both, connections will be attempted via both protocol versions, with the first successful connection returning a successful check result. Example check: ```json { "check": { "id": "ssh", "name": "SSH (TCP)", "tcp": "example.com:22", "interval": "10s" } } ```
2015-07-23 11:45:08 +00:00
}
Decouple the code that executes checks from the agent
2017-10-25 09:18:07 +00:00
if chkType.Interval < checks.MinInterval {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Warn("check has interval below minimum",
"check", cid.String(),
"minimum_interval", checks.MinInterval,
)
Decouple the code that executes checks from the agent
2017-10-25 09:18:07 +00:00
chkType.Interval = checks.MinInterval
Add TCP check type Adds the ability to simply check whether a TCP socket accepts connections to determine if it is healthy. This is a light-weight - though less comprehensive than scripting - method of checking network service health. The check parameter `tcp` should be set to the `address:port` combination for the service to be tested. Supports both IPv6 and IPv4, in the case of a hostname that resolves to both, connections will be attempted via both protocol versions, with the first successful connection returning a successful check result. Example check: ```json { "check": { "id": "ssh", "name": "SSH (TCP)", "tcp": "example.com:22", "interval": "10s" } } ```
2015-07-23 11:45:08 +00:00
}
Decouple the code that executes checks from the agent
2017-10-25 09:18:07 +00:00
tcp := &checks.CheckTCP{
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
CheckID: cid,
ServiceID: sid,
Checks to passing/critical only after reaching a consecutive success/failure threshold (#5739) A check may be set to become passing/critical only if a specified number of successive checks return passing/critical in a row. Status will stay identical as before until the threshold is reached. This feature is available for HTTP, TCP, gRPC, Docker & Monitor checks.
2019-10-14 20:49:49 +00:00
TCP: chkType.TCP,
Interval: chkType.Interval,
Timeout: chkType.Timeout,
Logger: a.logger,
StatusHandler: statusHandler,
Add TCP check type Adds the ability to simply check whether a TCP socket accepts connections to determine if it is healthy. This is a light-weight - though less comprehensive than scripting - method of checking network service health. The check parameter `tcp` should be set to the `address:port` combination for the service to be tested. Supports both IPv6 and IPv4, in the case of a hostname that resolves to both, connections will be attempted via both protocol versions, with the first successful connection returning a successful check result. Example check: ```json { "check": { "id": "ssh", "name": "SSH (TCP)", "tcp": "example.com:22", "interval": "10s" } } ```
2015-07-23 11:45:08 +00:00
}
tcp.Start()
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
a.checkTCPs[cid] = tcp
Add TCP check type Adds the ability to simply check whether a TCP socket accepts connections to determine if it is healthy. This is a light-weight - though less comprehensive than scripting - method of checking network service health. The check parameter `tcp` should be set to the `address:port` combination for the service to be tested. Supports both IPv6 and IPv4, in the case of a hostname that resolves to both, connections will be attempted via both protocol versions, with the first successful connection returning a successful check result. Example check: ```json { "check": { "id": "ssh", "name": "SSH (TCP)", "tcp": "example.com:22", "interval": "10s" } } ```
2015-07-23 11:45:08 +00:00
Add gRPC health-check #3073
2017-12-27 04:35:22 +00:00
case chkType.IsGRPC():
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
if existing, ok := a.checkGRPCs[cid]; ok {
Add gRPC health-check #3073
2017-12-27 04:35:22 +00:00
existing.Stop()
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
delete(a.checkGRPCs, cid)
Add gRPC health-check #3073
2017-12-27 04:35:22 +00:00
}
if chkType.Interval < checks.MinInterval {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Warn("check has interval below minimum",
"check", cid.String(),
"minimum_interval", checks.MinInterval,
)
Add gRPC health-check #3073
2017-12-27 04:35:22 +00:00
chkType.Interval = checks.MinInterval
}
var tlsClientConfig *tls.Config
Changes "TLS" to "GRPCUseTLS" since it only applies to GRPC checks.
2018-02-03 01:29:34 +00:00
if chkType.GRPCUseTLS {
agent: enable reloading of tls config (#5419) This PR introduces reloading tls configuration. Consul will now be able to reload the TLS configuration which previously required a restart. It is not yet possible to turn TLS ON or OFF with these changes. Only when TLS is already turned on, the configuration can be reloaded. Most importantly the certificates and CAs.
2019-03-13 09:29:06 +00:00
tlsClientConfig = a.tlsConfigurator.OutgoingTLSConfigForCheck(chkType.TLSSkipVerify)
Add gRPC health-check #3073
2017-12-27 04:35:22 +00:00
}
grpc := &checks.CheckGRPC{
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
CheckID: cid,
ServiceID: sid,
Add gRPC health-check #3073
2017-12-27 04:35:22 +00:00
GRPC: chkType.GRPC,
Interval: chkType.Interval,
Timeout: chkType.Timeout,
Logger: a.logger,
TLSClientConfig: tlsClientConfig,
Checks to passing/critical only after reaching a consecutive success/failure threshold (#5739) A check may be set to become passing/critical only if a specified number of successive checks return passing/critical in a row. Status will stay identical as before until the threshold is reached. This feature is available for HTTP, TCP, gRPC, Docker & Monitor checks.
2019-10-14 20:49:49 +00:00
StatusHandler: statusHandler,
Add gRPC health-check #3073
2017-12-27 04:35:22 +00:00
}
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
if proxy != nil && proxy.Proxy.Expose.Checks {
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
port, err := a.listenerPortLocked(sid, cid)
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
if err != nil {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Error("error exposing check",
"check", cid.String(),
"error", err,
)
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
return err
}
agent: rewrite checks with proxy address, not local service address (#7518) Exposing checks is supposed to allow a Consul agent bound to a different IP address (e.g., in a different Kubernetes pod) to access healthchecks through the proxy while the underlying service binds to localhost. This is an important security feature that makes sure no external traffic reaches the service except through the proxy. However, as far as I can tell, this is subtly broken in the case where the Consul agent cannot reach the proxy over localhost. If a proxy is configured with: `{ LocalServiceAddress: "127.0.0.1", Checks: true }`, as is typical with a sidecar proxy, the Consul checks are currently rewritten to `127.0.0.1:<random port>`. A Consul agent that does not share the loopback address cannot reach this address. Just to make sure I was not misunderstanding, I tried configuring the proxy with `{ LocalServiceAddress: "<pod ip>", Checks: true }`. In this case, while the checks are rewritten as expected and the agent can reach the dynamic port, the proxy can no longer reach its backend because the traffic is no longer on the loopback interface. I think rewriting the checks to use `proxy.Address`, the proxy's own address, is more correct in this case. That is the IP where the proxy can be reached, both by other proxies and by a Consul agent running on a different IP. The local service address should continue to use `127.0.0.1` in most cases.
2020-04-02 07:35:43 +00:00
grpc.ProxyGRPC = grpcInjectAddr(grpc.GRPC, proxy.Address, port)
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
}
Add gRPC health-check #3073
2017-12-27 04:35:22 +00:00
grpc.Start()
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
a.checkGRPCs[cid] = grpc
Add gRPC health-check #3073
2017-12-27 04:35:22 +00:00
agent: replace docker check This patch replaces the Docker client which is used for health checks with a simplified version tailored for that purpose. See #3254 See #3257 Fixes #3270
2017-07-12 14:01:42 +00:00
case chkType.IsDocker():
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
if existing, ok := a.checkDockers[cid]; ok {
Implemented Docker health checks
2015-10-22 22:29:13 +00:00
existing.Stop()
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
delete(a.checkDockers, cid)
Implemented Docker health checks
2015-10-22 22:29:13 +00:00
}
Decouple the code that executes checks from the agent
2017-10-25 09:18:07 +00:00
if chkType.Interval < checks.MinInterval {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Warn("check has interval below minimum",
"check", cid.String(),
"minimum_interval", checks.MinInterval,
)
Decouple the code that executes checks from the agent
2017-10-25 09:18:07 +00:00
chkType.Interval = checks.MinInterval
Implemented Docker health checks
2015-10-22 22:29:13 +00:00
}
agent: replace docker check This patch replaces the Docker client which is used for health checks with a simplified version tailored for that purpose. See #3254 See #3257 Fixes #3270
2017-07-12 14:01:42 +00:00
if a.dockerClient == nil {
Support for maximum size for Output of checks (#5233) * Support for maximum size for Output of checks This PR allows users to limit the size of output produced by checks at the agent and check level. When set at the agent level, it will limit the output for all checks monitored by the agent. When set at the check level, it can override the agent max for a specific check but only if it is lower than the agent max. Default value is 4k, and input must be at least 1.
2019-06-26 15:43:25 +00:00
dc, err := checks.NewDockerClient(os.Getenv("DOCKER_HOST"), int64(maxOutputSize))
agent: replace docker check This patch replaces the Docker client which is used for health checks with a simplified version tailored for that purpose. See #3254 See #3257 Fixes #3270
2017-07-12 14:01:42 +00:00
if err != nil {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Error("error creating docker client", "error", err)
agent: replace docker check This patch replaces the Docker client which is used for health checks with a simplified version tailored for that purpose. See #3254 See #3257 Fixes #3270
2017-07-12 14:01:42 +00:00
return err
}
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Debug("created docker client", "host", dc.Host())
agent: replace docker check This patch replaces the Docker client which is used for health checks with a simplified version tailored for that purpose. See #3254 See #3257 Fixes #3270
2017-07-12 14:01:42 +00:00
a.dockerClient = dc
}
Decouple the code that executes checks from the agent
2017-10-25 09:18:07 +00:00
dockerCheck := &checks.CheckDocker{
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
CheckID: cid,
ServiceID: sid,
Adds Docker checks support to client API. Also changed `DockerContainerId` to `DockerContainerID`, and updated the agent API docs to reflect their support for Docker checks.
2015-11-18 15:40:02 +00:00
DockerContainerID: chkType.DockerContainerID,
Implemented Docker health checks
2015-10-22 22:29:13 +00:00
Shell: chkType.Shell,
Clean up subprocess handling and make shell use optional (#3509) * Clean up handling of subprocesses and make using a shell optional * Update docs for subprocess changes * Fix tests for new subprocess behavior * More cleanup of subprocesses * Minor adjustments and cleanup for subprocess logic * Makes the watch handler reload test use the new path. * Adds check tests for new args path, and updates existing tests to use new path. * Adds support for script args in Docker checks. * Fixes the sanitize unit test. * Adds panic for unknown watch type, and reverts back to Run(). * Adds shell option back to consul lock command. * Adds shell option back to consul exec command. * Adds shell back into consul watch command. * Refactors signal forwarding and makes Windows-friendly. * Adds a clarifying comment. * Changes error wording to a warning. * Scopes signals to interrupt and kill. This avoids us trying to send SIGCHILD to the dead process. * Adds an error for shell=false for consul exec. * Adds notes about the deprecated script and handler fields. * De-nests an if statement.
2017-10-04 23:48:00 +00:00
ScriptArgs: chkType.ScriptArgs,
Implemented Docker health checks
2015-10-22 22:29:13 +00:00
Interval: chkType.Interval,
Logger: a.logger,
Decouple the code that executes checks from the agent
2017-10-25 09:18:07 +00:00
Client: a.dockerClient,
Checks to passing/critical only after reaching a consecutive success/failure threshold (#5739) A check may be set to become passing/critical only if a specified number of successive checks return passing/critical in a row. Status will stay identical as before until the threshold is reached. This feature is available for HTTP, TCP, gRPC, Docker & Monitor checks.
2019-10-14 20:49:49 +00:00
StatusHandler: statusHandler,
Not adding the docker check if we couldn't create the client
2015-10-26 23:45:12 +00:00
}
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
if prev := a.checkDockers[cid]; prev != nil {
docker: stop previous check on replace
2017-10-26 10:03:07 +00:00
prev.Stop()
}
Implemented Docker health checks
2015-10-22 22:29:13 +00:00
dockerCheck.Start()
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
a.checkDockers[cid] = dockerCheck
agent: replace docker check This patch replaces the Docker client which is used for health checks with a simplified version tailored for that purpose. See #3254 See #3257 Fixes #3270
2017-07-12 14:01:42 +00:00
case chkType.IsMonitor():
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
if existing, ok := a.checkMonitors[cid]; ok {
Defaulting to Monitor check
2015-10-26 22:02:23 +00:00
existing.Stop()
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
delete(a.checkMonitors, cid)
Defaulting to Monitor check
2015-10-26 22:02:23 +00:00
}
Decouple the code that executes checks from the agent
2017-10-25 09:18:07 +00:00
if chkType.Interval < checks.MinInterval {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Warn("check has interval below minimum",
"check", cid.String(),
"minimum_interval", checks.MinInterval,
)
Decouple the code that executes checks from the agent
2017-10-25 09:18:07 +00:00
chkType.Interval = checks.MinInterval
Defaulting to Monitor check
2015-10-26 22:02:23 +00:00
}
Decouple the code that executes checks from the agent
2017-10-25 09:18:07 +00:00
monitor := &checks.CheckMonitor{
Support for maximum size for Output of checks (#5233) * Support for maximum size for Output of checks This PR allows users to limit the size of output produced by checks at the agent and check level. When set at the agent level, it will limit the output for all checks monitored by the agent. When set at the check level, it can override the agent max for a specific check but only if it is lower than the agent max. Default value is 4k, and input must be at least 1.
2019-06-26 15:43:25 +00:00
Notify: a.State,
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
CheckID: cid,
ServiceID: sid,
Support for maximum size for Output of checks (#5233) * Support for maximum size for Output of checks This PR allows users to limit the size of output produced by checks at the agent and check level. When set at the agent level, it will limit the output for all checks monitored by the agent. When set at the check level, it can override the agent max for a specific check but only if it is lower than the agent max. Default value is 4k, and input must be at least 1.
2019-06-26 15:43:25 +00:00
ScriptArgs: chkType.ScriptArgs,
Interval: chkType.Interval,
Timeout: chkType.Timeout,
Logger: a.logger,
OutputMaxSize: maxOutputSize,
Checks to passing/critical only after reaching a consecutive success/failure threshold (#5739) A check may be set to become passing/critical only if a specified number of successive checks return passing/critical in a row. Status will stay identical as before until the threshold is reached. This feature is available for HTTP, TCP, gRPC, Docker & Monitor checks.
2019-10-14 20:49:49 +00:00
StatusHandler: statusHandler,
Defaulting to Monitor check
2015-10-26 22:02:23 +00:00
}
monitor.Start()
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
a.checkMonitors[cid] = monitor
agent: replace docker check This patch replaces the Docker client which is used for health checks with a simplified version tailored for that purpose. See #3254 See #3257 Fixes #3270
2017-07-12 14:01:42 +00:00
agent: run alias checks
2018-06-30 13:38:56 +00:00
case chkType.IsAlias():
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
if existing, ok := a.checkAliases[cid]; ok {
agent: run alias checks
2018-06-30 13:38:56 +00:00
existing.Stop()
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
delete(a.checkAliases, cid)
agent: run alias checks
2018-06-30 13:38:56 +00:00
}
var rpcReq structs.NodeSpecificRequest
rpcReq.Datacenter = a.config.Datacenter
agent: use the correct ACL token for alias checks
2018-07-12 17:17:53 +00:00
// The token to set is really important. The behavior below follows
// the same behavior as anti-entropy: we use the user-specified token
// if set (either on the service or check definition), otherwise
// we use the "UserToken" on the agent. This is tested.
rpcReq.Token = a.tokens.UserToken()
if token != "" {
rpcReq.Token = token
}
agent: run alias checks
2018-06-30 13:38:56 +00:00
agent/structs: Remove ServiceID.Init and CheckID.Init The Init method provided the same functionality as the New constructor. The constructor is both more widely used, and more idiomatic, so remove the Init method. This change is in preparation for fixing printing of these IDs.
2020-04-15 16:03:29 +00:00
aliasServiceID := structs.NewServiceID(chkType.AliasService, &check.EnterpriseMeta)
agent: run alias checks
2018-06-30 13:38:56 +00:00
chkImpl := &checks.CheckAlias{
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
Notify: a.State,
RPC: a.delegate,
RPCReq: rpcReq,
CheckID: cid,
Node: chkType.AliasNode,
ServiceID: aliasServiceID,
EnterpriseMeta: check.EnterpriseMeta,
agent: run alias checks
2018-06-30 13:38:56 +00:00
}
chkImpl.Start()
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
a.checkAliases[cid] = chkImpl
agent: run alias checks
2018-06-30 13:38:56 +00:00
agent: replace docker check This patch replaces the Docker client which is used for health checks with a simplified version tailored for that purpose. See #3254 See #3257 Fixes #3270
2017-07-12 14:01:42 +00:00
default:
Making an explicit check to test whether a check is of type Monitor
2015-10-27 02:52:32 +00:00
return fmt.Errorf("Check type is not valid")
agent: Adding methods to register services and checks
2014-01-30 21:39:02 +00:00
}
Adds ability to deregister a service based on critical check state longer than a timeout.
2016-08-16 07:05:55 +00:00
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
// Notify channel that watches for service state changes
// This is a non-blocking send to avoid synchronizing on a large number of check updates
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
s := a.State.ServiceState(sid)
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
if s != nil && !s.Deleted {
select {
case s.WatchCh <- struct{}{}:
default:
}
}
Adds ability to deregister a service based on critical check state longer than a timeout.
2016-08-16 07:05:55 +00:00
if chkType.DeregisterCriticalServiceAfter > 0 {
timeout := chkType.DeregisterCriticalServiceAfter
if timeout < a.config.CheckDeregisterIntervalMin {
timeout = a.config.CheckDeregisterIntervalMin
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Warn("check has deregister interval below minimum",
"check", cid.String(),
"minimum_interval", a.config.CheckDeregisterIntervalMin,
)
Adds ability to deregister a service based on critical check state longer than a timeout.
2016-08-16 07:05:55 +00:00
}
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
a.checkReapAfter[cid] = timeout
Adds ability to deregister a service based on critical check state longer than a timeout.
2016-08-16 07:05:55 +00:00
} else {
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
delete(a.checkReapAfter, cid)
Adds ability to deregister a service based on critical check state longer than a timeout.
2016-08-16 07:05:55 +00:00
}
agent: Adding methods to register services and checks
2014-01-30 21:39:02 +00:00
}
agent: prefer config over persisted services/checks (#497)
2014-11-25 03:24:32 +00:00
return nil
agent: Adding methods to register services and checks
2014-01-30 21:39:02 +00:00
}
// RemoveCheck is used to remove a health check.
// The agent will make a best effort to ensure it is deregistered
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
func (a *Agent) RemoveCheck(checkID structs.CheckID, persist bool) error {
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
a.stateLock.Lock()
defer a.stateLock.Unlock()
return a.removeCheckLocked(checkID, persist)
}
// removeCheckLocked is used to remove a health check.
// The agent will make a best effort to ensure it is deregistered
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
func (a *Agent) removeCheckLocked(checkID structs.CheckID, persist bool) error {
Validate ServiceID/CheckID when deregistering.
2015-01-26 16:06:49 +00:00
// Validate CheckID
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
if checkID.ID == "" {
Validate ServiceID/CheckID when deregistering.
2015-01-26 16:06:49 +00:00
return fmt.Errorf("CheckID missing")
}
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
// Notify channel that watches for service state changes
// This is a non-blocking send to avoid synchronizing on a large number of check updates
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
var svcID structs.ServiceID
if c := a.State.Check(checkID); c != nil {
svcID = c.CompoundServiceID()
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
}
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
s := a.State.ServiceState(svcID)
if s != nil && !s.Deleted {
select {
case s.WatchCh <- struct{}{}:
default:
}
}
// Delete port from allocated port set
// If checks weren't being exposed then this is a no-op
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
portKey := listenerPortKey(svcID, checkID)
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
delete(a.exposedPorts, portKey)
Clean up any watch monitors associated with a failed AddCheck
2017-07-18 21:54:20 +00:00
a.cancelCheckMonitors(checkID)
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
a.State.RemoveCheck(checkID)
Clean up any watch monitors associated with a failed AddCheck
2017-07-18 21:54:20 +00:00
if persist {
if err := a.purgeCheck(checkID); err != nil {
return err
}
if err := a.purgeCheckState(checkID); err != nil {
return err
}
}
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Debug("removed check", "check", checkID.String())
Clean up any watch monitors associated with a failed AddCheck
2017-07-18 21:54:20 +00:00
return nil
}
docs: document exported functions in agent.go (closes #7101) (#7366) and fix one linter error
2020-04-01 20:52:23 +00:00
// ServiceHTTPBasedChecks returns HTTP and GRPC based Checks
// for the given serviceID
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
func (a *Agent) ServiceHTTPBasedChecks(serviceID structs.ServiceID) []structs.CheckType {
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
a.stateLock.Lock()
defer a.stateLock.Unlock()
var chkTypes = make([]structs.CheckType, 0)
for _, c := range a.checkHTTPs {
if c.ServiceID == serviceID {
chkTypes = append(chkTypes, c.CheckType())
}
}
for _, c := range a.checkGRPCs {
if c.ServiceID == serviceID {
chkTypes = append(chkTypes, c.CheckType())
}
}
return chkTypes
}
docs: document exported functions in agent.go (closes #7101) (#7366) and fix one linter error
2020-04-01 20:52:23 +00:00
// AdvertiseAddrLAN returns the AdvertiseAddrLAN config value
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
func (a *Agent) AdvertiseAddrLAN() string {
return a.config.AdvertiseAddrLAN.String()
}
Default managed proxy TCP check address sanely when proxy is bound to 0.0.0.0. This also provides a mechanism to configure custom address or disable the check entirely from managed proxy config.
2018-07-12 11:57:10 +00:00
// resolveProxyCheckAddress returns the best address to use for a TCP check of
// the proxy's public listener. It expects the input to already have default
// values populated by applyProxyConfigDefaults. It may return an empty string
// indicating that the TCP check should not be created at all.
//
// By default this uses the proxy's bind address which in turn defaults to the
// agent's bind address. If the proxy bind address ends up being 0.0.0.0 we have
// to assume the agent can dial it over loopback which is usually true.
//
// In some topologies such as proxy being in a different container, the IP the
// agent used to dial proxy over a local bridge might not be the same as the
// container's public routable IP address so we allow a manual override of the
// check address in config "tcp_check_address" too.
//
// Finally the TCP check can be disabled by another manual override
// "disable_tcp_check" in cases where the agent will never be able to dial the
// proxy directly for some reason.
func (a *Agent) resolveProxyCheckAddress(proxyCfg map[string]interface{}) string {
// If user disabled the check return empty string
if disable, ok := proxyCfg["disable_tcp_check"].(bool); ok && disable {
return ""
}
// If user specified a custom one, use that
if chkAddr, ok := proxyCfg["tcp_check_address"].(string); ok && chkAddr != "" {
return chkAddr
}
// If we have a bind address and its diallable, use that
if bindAddr, ok := proxyCfg["bind_address"].(string); ok &&
bindAddr != "" && bindAddr != "0.0.0.0" && bindAddr != "[::]" {
return bindAddr
}
// Default to localhost
return "127.0.0.1"
}
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
func (a *Agent) cancelCheckMonitors(checkID structs.CheckID) {
agent: Adding methods to register services and checks
2014-01-30 21:39:02 +00:00
// Stop any monitors
Adds ability to deregister a service based on critical check state longer than a timeout.
2016-08-16 07:05:55 +00:00
delete(a.checkReapAfter, checkID)
agent: Adding methods to register services and checks
2014-01-30 21:39:02 +00:00
if check, ok := a.checkMonitors[checkID]; ok {
check.Stop()
delete(a.checkMonitors, checkID)
}
command/agent: Stop HTTP checks when the check is removed
2015-01-12 22:34:39 +00:00
if check, ok := a.checkHTTPs[checkID]; ok {
check.Stop()
delete(a.checkHTTPs, checkID)
}
Add TCP check type Adds the ability to simply check whether a TCP socket accepts connections to determine if it is healthy. This is a light-weight - though less comprehensive than scripting - method of checking network service health. The check parameter `tcp` should be set to the `address:port` combination for the service to be tested. Supports both IPv6 and IPv4, in the case of a hostname that resolves to both, connections will be attempted via both protocol versions, with the first successful connection returning a successful check result. Example check: ```json { "check": { "id": "ssh", "name": "SSH (TCP)", "tcp": "example.com:22", "interval": "10s" } } ```
2015-07-23 11:45:08 +00:00
if check, ok := a.checkTCPs[checkID]; ok {
check.Stop()
delete(a.checkTCPs, checkID)
}
Add gRPC health-check #3073
2017-12-27 04:35:22 +00:00
if check, ok := a.checkGRPCs[checkID]; ok {
check.Stop()
delete(a.checkGRPCs, checkID)
}
agent: Adding methods to register services and checks
2014-01-30 21:39:02 +00:00
if check, ok := a.checkTTLs[checkID]; ok {
check.Stop()
delete(a.checkTTLs, checkID)
}
agent: stop and remove docker checks Note that there is no test since the correct way to solve (and test) this is to replace the different maps with a single one or to hide that functionality behind a separate data structure. This will be addressed in #3294. Fixes #3265
2017-07-18 18:50:37 +00:00
if check, ok := a.checkDockers[checkID]; ok {
check.Stop()
delete(a.checkDockers, checkID)
}
agent: Adding methods to register services and checks
2014-01-30 21:39:02 +00:00
}
Adds ability to deregister a service based on critical check state longer than a timeout.
2016-08-16 07:05:55 +00:00
// updateTTLCheck is used to update the status of a TTL check via the Agent API.
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
func (a *Agent) updateTTLCheck(checkID structs.CheckID, status, output string) error {
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
a.stateLock.Lock()
defer a.stateLock.Unlock()
agent: Adding methods to register services and checks
2014-01-30 21:39:02 +00:00
Adds ability to deregister a service based on critical check state longer than a timeout.
2016-08-16 07:05:55 +00:00
// Grab the TTL check.
agent: Adding methods to register services and checks
2014-01-30 21:39:02 +00:00
check, ok := a.checkTTLs[checkID]
if !ok {
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
return fmt.Errorf("CheckID %q does not have associated TTL", checkID.String())
agent: Adding methods to register services and checks
2014-01-30 21:39:02 +00:00
}
Adds ability to deregister a service based on critical check state longer than a timeout.
2016-08-16 07:05:55 +00:00
// Set the status through CheckTTL to reset the TTL.
Support for maximum size for Output of checks (#5233) * Support for maximum size for Output of checks This PR allows users to limit the size of output produced by checks at the agent and check level. When set at the agent level, it will limit the output for all checks monitored by the agent. When set at the check level, it can override the agent max for a specific check but only if it is lower than the agent max. Default value is 4k, and input must be at least 1.
2019-06-26 15:43:25 +00:00
outputTruncated := check.SetStatus(status, output)
agent: first stab at persisting check state
2015-06-05 23:17:07 +00:00
Adds ability to deregister a service based on critical check state longer than a timeout.
2016-08-16 07:05:55 +00:00
// We don't write any files in dev mode so bail here.
Fixs a few issues that stopped this working in real life but not caught by tests: - Dev mode assumed no persistence of services although proxy state is persisted which caused proxies to be killed on startup as their services were no longer registered. Fixed. - Didn't snapshot the ProxyID which meant that proxies were adopted OK from snapshot but failed to restart if they died since there was no proxyID in the ENV on restart - Dev mode with no persistence just kills all proxies on shutdown since it can't recover them later - Naming things
2018-06-06 20:04:19 +00:00
if a.config.DataDir == "" {
consul: dev mode works
2015-11-29 04:40:05 +00:00
return nil
}
Adds ability to deregister a service based on critical check state longer than a timeout.
2016-08-16 07:05:55 +00:00
// Persist the state so the TTL check can come up in a good state after
// an agent restart, especially with long TTL values.
Support for maximum size for Output of checks (#5233) * Support for maximum size for Output of checks This PR allows users to limit the size of output produced by checks at the agent and check level. When set at the agent level, it will limit the output for all checks monitored by the agent. When set at the check level, it can override the agent max for a specific check but only if it is lower than the agent max. Default value is 4k, and input must be at least 1.
2019-06-26 15:43:25 +00:00
if err := a.persistCheckState(check, status, outputTruncated); err != nil {
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
return fmt.Errorf("failed persisting state for check %q: %s", checkID.String(), err)
agent: first stab at persisting check state
2015-06-05 23:17:07 +00:00
}
return nil
}
// persistCheckState is used to record the check status into the data dir.
// This allows the state to be restored on a later agent start. Currently
// only useful for TTL based checks.
Decouple the code that executes checks from the agent
2017-10-25 09:18:07 +00:00
func (a *Agent) persistCheckState(check *checks.CheckTTL, status, output string) error {
agent: first stab at persisting check state
2015-06-05 23:17:07 +00:00
// Create the persisted state
state := persistedCheckState{
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
CheckID: check.CheckID.ID,
Status: status,
Output: output,
Expires: time.Now().Add(check.TTL).Unix(),
EnterpriseMeta: check.CheckID.EnterpriseMeta,
agent: first stab at persisting check state
2015-06-05 23:17:07 +00:00
}
// Encode the state
buf, err := json.Marshal(state)
if err != nil {
return err
}
// Create the state dir if it doesn't exist
dir := filepath.Join(a.config.DataDir, checkStateDir)
if err := os.MkdirAll(dir, 0700); err != nil {
return fmt.Errorf("failed creating check state dir %q: %s", dir, err)
}
// Write the state to the file
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
file := filepath.Join(dir, check.CheckID.StringHash())
Call fsync() for saving check/service state
2016-11-07 18:51:03 +00:00
// Create temp file in same dir, to make more likely atomic
atomic write service state and checks files, fixes #1221
2016-08-03 15:32:21 +00:00
tempFile := file + ".tmp"
Add a note about not calling sync for persistCheckState
2016-11-07 20:24:31 +00:00
// persistCheckState is called frequently, so don't use writeFileAtomic to avoid calling fsync here
atomic write service state and checks files, fixes #1221
2016-08-03 15:32:21 +00:00
if err := ioutil.WriteFile(tempFile, buf, 0600); err != nil {
return fmt.Errorf("failed writing temp file %q: %s", tempFile, err)
}
if err := os.Rename(tempFile, file); err != nil {
return fmt.Errorf("failed to rename temp file from %q to %q: %s", tempFile, file, err)
agent: first stab at persisting check state
2015-06-05 23:17:07 +00:00
}
return nil
}
agent: use persist/load/purge convention for function names
2015-06-08 16:35:10 +00:00
// loadCheckState is used to restore the persisted state of a check.
func (a *Agent) loadCheckState(check *structs.HealthCheck) error {
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
cid := check.CompoundCheckID()
agent: first stab at persisting check state
2015-06-05 23:17:07 +00:00
// Try to read the persisted state for this check
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
file := filepath.Join(a.config.DataDir, checkStateDir, cid.StringHash())
agent: first stab at persisting check state
2015-06-05 23:17:07 +00:00
buf, err := ioutil.ReadFile(file)
if err != nil {
if os.IsNotExist(err) {
return nil
}
return fmt.Errorf("failed reading file %q: %s", file, err)
}
// Decode the state data
var p persistedCheckState
if err := json.Unmarshal(buf, &p); err != nil {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Error("failed decoding check state", "error", err)
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
return a.purgeCheckState(cid)
agent: first stab at persisting check state
2015-06-05 23:17:07 +00:00
}
// Check if the state has expired
agent: testing state persistence, recovery, and expiration
2015-06-05 23:45:05 +00:00
if time.Now().Unix() >= p.Expires {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Debug("check state expired, not restoring", "check", cid.String())
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
return a.purgeCheckState(cid)
agent: first stab at persisting check state
2015-06-05 23:17:07 +00:00
}
// Restore the fields from the state
check.Output = p.Output
check.Status = p.Status
agent: Adding methods to register services and checks
2014-01-30 21:39:02 +00:00
return nil
}
agent: Adding Stats() export
2014-02-24 00:42:39 +00:00
agent: purge check state when checks are deregistered
2015-06-05 23:57:14 +00:00
// purgeCheckState is used to purge the state of a check from the data dir
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
func (a *Agent) purgeCheckState(checkID structs.CheckID) error {
file := filepath.Join(a.config.DataDir, checkStateDir, checkID.StringHash())
agent: purge check state when checks are deregistered
2015-06-05 23:57:14 +00:00
err := os.Remove(file)
if os.IsNotExist(err) {
return nil
}
return err
}
agent: Adding Stats() export
2014-02-24 00:42:39 +00:00
// Stats is used to get various debugging state from the sub-systems
func (a *Agent) Stats() map[string]map[string]string {
agent: Replace client/server with delegate interface This patch adds a new internal interface clientServer which defines the common methods of consul.Client and consul.Server. This allows to replace the following code if a.server != nil { a.server.do() } else { a.client.do() } with a.delegate.do() In case a specific type is required a type check can be performed: if srv, ok := a.delegate.(*consul.Server); ok { srv.doSrv() }
2017-05-15 14:05:17 +00:00
stats := a.delegate.Stats()
agent: Adding Stats() export
2014-02-24 00:42:39 +00:00
stats["agent"] = map[string]string{
local state: move to separate package This patch moves the local state to a separate package to further decouple it from the agent code. The code compiles but the tests do not yet.
2017-08-28 12:17:12 +00:00
"check_monitors": strconv.Itoa(len(a.checkMonitors)),
"check_ttls": strconv.Itoa(len(a.checkTTLs)),
}
local state: tests compile
2017-08-28 12:17:13 +00:00
for k, v := range a.State.Stats() {
local state: move to separate package This patch moves the local state to a separate package to further decouple it from the agent code. The code compiles but the tests do not yet.
2017-08-28 12:17:12 +00:00
stats["agent"][k] = v
agent: Adding Stats() export
2014-02-24 00:42:39 +00:00
}
agent: Add version to info output
2014-06-06 21:40:22 +00:00
revision := a.config.Revision
if len(revision) > 8 {
revision = revision[:8]
}
stats["build"] = map[string]string{
"revision": revision,
"version": a.config.Version,
"prerelease": a.config.VersionPrerelease,
}
agent: Adding Stats() export
2014-02-24 00:42:39 +00:00
return stats
}
Add flag to agent to write pid file
2014-05-06 03:29:50 +00:00
agent: Minor cleanups
2014-05-06 19:43:33 +00:00
// storePid is used to write out our PID to a file if necessary
Return pid file errors and fix help formatting
2014-05-06 16:57:53 +00:00
func (a *Agent) storePid() error {
agent: Minor cleanups
2014-05-06 19:43:33 +00:00
// Quit fast if no pidfile
Add flag to agent to write pid file
2014-05-06 03:29:50 +00:00
pidPath := a.config.PidFile
agent: Minor cleanups
2014-05-06 19:43:33 +00:00
if pidPath == "" {
return nil
}
Add flag to agent to write pid file
2014-05-06 03:29:50 +00:00
agent: Minor cleanups
2014-05-06 19:43:33 +00:00
// Open the PID file
pidFile, err := os.OpenFile(pidPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0666)
if err != nil {
return fmt.Errorf("Could not open pid file: %v", err)
Add flag to agent to write pid file
2014-05-06 03:29:50 +00:00
}
agent: Minor cleanups
2014-05-06 19:43:33 +00:00
defer pidFile.Close()
Return pid file errors and fix help formatting
2014-05-06 16:57:53 +00:00
agent: Minor cleanups
2014-05-06 19:43:33 +00:00
// Write out the PID
pid := os.Getpid()
_, err = pidFile.WriteString(fmt.Sprintf("%d", pid))
if err != nil {
return fmt.Errorf("Could not write to pid file: %s", err)
}
Return pid file errors and fix help formatting
2014-05-06 16:57:53 +00:00
return nil
Add flag to agent to write pid file
2014-05-06 03:29:50 +00:00
}
agent: Minor cleanups
2014-05-06 19:43:33 +00:00
// deletePid is used to delete our PID on exit
Return pid file errors and fix help formatting
2014-05-06 16:57:53 +00:00
func (a *Agent) deletePid() error {
agent: Minor cleanups
2014-05-06 19:43:33 +00:00
// Quit fast if no pidfile
Add flag to agent to write pid file
2014-05-06 03:29:50 +00:00
pidPath := a.config.PidFile
agent: Minor cleanups
2014-05-06 19:43:33 +00:00
if pidPath == "" {
return nil
}
Add flag to agent to write pid file
2014-05-06 03:29:50 +00:00
agent: Minor cleanups
2014-05-06 19:43:33 +00:00
stat, err := os.Stat(pidPath)
if err != nil {
return fmt.Errorf("Could not remove pid file: %s", err)
}
Add flag to agent to write pid file
2014-05-06 03:29:50 +00:00
agent: Minor cleanups
2014-05-06 19:43:33 +00:00
if stat.IsDir() {
return fmt.Errorf("Specified pid file path is directory")
Add flag to agent to write pid file
2014-05-06 03:29:50 +00:00
}
Return pid file errors and fix help formatting
2014-05-06 16:57:53 +00:00
agent: Minor cleanups
2014-05-06 19:43:33 +00:00
err = os.Remove(pidPath)
if err != nil {
return fmt.Errorf("Could not remove pid file: %s", err)
}
Return pid file errors and fix help formatting
2014-05-06 16:57:53 +00:00
return nil
Add flag to agent to write pid file
2014-05-06 03:29:50 +00:00
}
agent: allow config reload to modify checks/services persistence This change consolidates loading services and checks from both config and persisted state into methods on the agent. As part of this, we introduce optional persistence when calling RemoveCheck/RemoveService. Fixes a bug where config reloads would kill persisted services/checks. Also fixes an edge case: 1. A service or check is registered via the HTTP API 2. A new service or check definition with the same ID is added to config 3. Config is reloaded The desired behavior (which this implements) is: 1. All services and checks deregistered in memory 2. All services and checks in config are registered first 3. All persisted checks are restored using the same logic as the agent start sequence, which prioritizes config over persisted, and removes any persistence files if new config counterparts are present.
2014-11-26 07:58:02 +00:00
agent: separate service and check loading/unloading concerns
2015-01-08 02:05:46 +00:00
// loadServices will load service definitions from configuration and persisted
// definitions on disk, and load them into the local agent.
agent: configuration reload preserves check's statuses for services (#7345) This fixes issue #7318 Between versions 1.5.2 and 1.5.3, a regression has been introduced regarding health of services. A patch #6144 had been issued for HealthChecks of nodes, but not for healthchecks of services. What happened when a reload was: 1. save all healthcheck statuses 2. cleanup everything 3. add new services with healthchecks In step 3, the state of healthchecks was taken into account locally, so at step 3, but since we cleaned up at step 2, state was lost. This PR introduces the snap parameter, so step 3 can use information from step 1
2020-03-09 11:59:41 +00:00
func (a *Agent) loadServices(conf *config.RuntimeConfig, snap map[structs.CheckID]*structs.HealthCheck) error {
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
// Load any persisted service configs so we can feed those into the initial
// registrations below.
persistedServiceConfigs, err := a.readPersistedServiceConfigs()
if err != nil {
return err
}
agent: allow config reload to modify checks/services persistence This change consolidates loading services and checks from both config and persisted state into methods on the agent. As part of this, we introduce optional persistence when calling RemoveCheck/RemoveService. Fixes a bug where config reloads would kill persisted services/checks. Also fixes an edge case: 1. A service or check is registered via the HTTP API 2. A new service or check definition with the same ID is added to config 3. Config is reloaded The desired behavior (which this implements) is: 1. All services and checks deregistered in memory 2. All services and checks in config are registered first 3. All persisted checks are restored using the same logic as the agent start sequence, which prioritizes config over persisted, and removes any persistence files if new config counterparts are present.
2014-11-26 07:58:02 +00:00
// Register the services from config
for _, service := range conf.Services {
ns := service.NodeService()
Fixes agent error handling when check definition is invalid. Distingu… (#3560) * Fixes agent error handling when check definition is invalid. Distinguishes between empty checks vs invalid checks * Made CheckTypes return Checks from service definition struct rather than a new copy, and other changes from code review. This also errors when json payload contains empty structs * Simplify and improve validate method, and make sure that CheckTypes always returns a new copy of validated check definitions * Tweaks some small style things and error messages. * Updates the change log.
2017-10-10 23:54:06 +00:00
chkTypes, err := service.CheckTypes()
if err != nil {
return fmt.Errorf("Failed to validate checks for service %q: %v", service.Name, err)
}
Add SidecarService Syntax sugar to Service Definition (#4686) * Added new Config for SidecarService in ServiceDefinitions. * WIP: all the code needed for SidecarService is written... none of it is tested other than config :). Need API updates too. * Test coverage for the new sidecarServiceFromNodeService method. * Test API registratrion with SidecarService * Recursive Key Translation :facepalm: * Add tests for nested sidecar defintion arrays to ensure they are translated correctly * Use dedicated internal state rather than Service Meta for tracking sidecars for deregistration. Add tests for deregistration. * API struct for agent register. No other endpoint should be affected yet. * Additional test cases to cover updates to API registrations
2018-09-27 13:33:12 +00:00
// Grab and validate sidecar if there is one too
sidecar, sidecarChecks, sidecarToken, err := a.sidecarServiceFromNodeService(ns, service.Token)
if err != nil {
return fmt.Errorf("Failed to validate sidecar for service %q: %v", service.Name, err)
}
// Remove sidecar from NodeService now it's done it's job it's just a config
// syntax sugar and shouldn't be persisted in local or server state.
ns.Connect.SidecarService = nil
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
sid := ns.CompoundServiceID()
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
err = a.addServiceLocked(&addServiceRequest{
service: ns,
chkTypes: chkTypes,
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
previousDefaults: persistedServiceConfigs[sid],
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
waitForCentralConfig: false, // exclusively use cached values
persist: false, // don't rewrite the file with the same data we just read
persistServiceConfig: false, // don't rewrite the file with the same data we just read
token: service.Token,
replaceExistingChecks: false, // do default behavior
source: ConfigSourceLocal,
agent: when enable_central_service_config is enabled ensure agent reload doesn't revert check state to critical (#8747) Likely introduced when #7345 landed.
2020-09-24 21:24:04 +00:00
snap: snap,
})
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
if err != nil {
Fixes agent error handling when check definition is invalid. Distingu… (#3560) * Fixes agent error handling when check definition is invalid. Distinguishes between empty checks vs invalid checks * Made CheckTypes return Checks from service definition struct rather than a new copy, and other changes from code review. This also errors when json payload contains empty structs * Simplify and improve validate method, and make sure that CheckTypes always returns a new copy of validated check definitions * Tweaks some small style things and error messages. * Updates the change log.
2017-10-10 23:54:06 +00:00
return fmt.Errorf("Failed to register service %q: %v", service.Name, err)
agent: allow config reload to modify checks/services persistence This change consolidates loading services and checks from both config and persisted state into methods on the agent. As part of this, we introduce optional persistence when calling RemoveCheck/RemoveService. Fixes a bug where config reloads would kill persisted services/checks. Also fixes an edge case: 1. A service or check is registered via the HTTP API 2. A new service or check definition with the same ID is added to config 3. Config is reloaded The desired behavior (which this implements) is: 1. All services and checks deregistered in memory 2. All services and checks in config are registered first 3. All persisted checks are restored using the same logic as the agent start sequence, which prioritizes config over persisted, and removes any persistence files if new config counterparts are present.
2014-11-26 07:58:02 +00:00
}
Add SidecarService Syntax sugar to Service Definition (#4686) * Added new Config for SidecarService in ServiceDefinitions. * WIP: all the code needed for SidecarService is written... none of it is tested other than config :). Need API updates too. * Test coverage for the new sidecarServiceFromNodeService method. * Test API registratrion with SidecarService * Recursive Key Translation :facepalm: * Add tests for nested sidecar defintion arrays to ensure they are translated correctly * Use dedicated internal state rather than Service Meta for tracking sidecars for deregistration. Add tests for deregistration. * API struct for agent register. No other endpoint should be affected yet. * Additional test cases to cover updates to API registrations
2018-09-27 13:33:12 +00:00
// If there is a sidecar service, register that too.
if sidecar != nil {
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
sidecarServiceID := sidecar.CompoundServiceID()
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
err = a.addServiceLocked(&addServiceRequest{
service: sidecar,
chkTypes: sidecarChecks,
previousDefaults: persistedServiceConfigs[sidecarServiceID],
waitForCentralConfig: false, // exclusively use cached values
persist: false, // don't rewrite the file with the same data we just read
persistServiceConfig: false, // don't rewrite the file with the same data we just read
token: sidecarToken,
replaceExistingChecks: false, // do default behavior
source: ConfigSourceLocal,
agent: when enable_central_service_config is enabled ensure agent reload doesn't revert check state to critical (#8747) Likely introduced when #7345 landed.
2020-09-24 21:24:04 +00:00
snap: snap,
})
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
if err != nil {
Add SidecarService Syntax sugar to Service Definition (#4686) * Added new Config for SidecarService in ServiceDefinitions. * WIP: all the code needed for SidecarService is written... none of it is tested other than config :). Need API updates too. * Test coverage for the new sidecarServiceFromNodeService method. * Test API registratrion with SidecarService * Recursive Key Translation :facepalm: * Add tests for nested sidecar defintion arrays to ensure they are translated correctly * Use dedicated internal state rather than Service Meta for tracking sidecars for deregistration. Add tests for deregistration. * API struct for agent register. No other endpoint should be affected yet. * Additional test cases to cover updates to API registrations
2018-09-27 13:33:12 +00:00
return fmt.Errorf("Failed to register sidecar for service %q: %v", service.Name, err)
}
}
agent: allow config reload to modify checks/services persistence This change consolidates loading services and checks from both config and persisted state into methods on the agent. As part of this, we introduce optional persistence when calling RemoveCheck/RemoveService. Fixes a bug where config reloads would kill persisted services/checks. Also fixes an edge case: 1. A service or check is registered via the HTTP API 2. A new service or check definition with the same ID is added to config 3. Config is reloaded The desired behavior (which this implements) is: 1. All services and checks deregistered in memory 2. All services and checks in config are registered first 3. All persisted checks are restored using the same logic as the agent start sequence, which prioritizes config over persisted, and removes any persistence files if new config counterparts are present.
2014-11-26 07:58:02 +00:00
}
// Load any persisted services
agent: consolidate service loading code, better logging
2015-01-08 05:24:47 +00:00
svcDir := filepath.Join(a.config.DataDir, servicesDir)
agent: refactor loadChecks/loadServices, fixes a few minor bugs
2015-06-04 21:33:30 +00:00
files, err := ioutil.ReadDir(svcDir)
if err != nil {
if os.IsNotExist(err) {
return nil
}
return fmt.Errorf("Failed reading services dir %q: %s", svcDir, err)
agent: allow config reload to modify checks/services persistence This change consolidates loading services and checks from both config and persisted state into methods on the agent. As part of this, we introduce optional persistence when calling RemoveCheck/RemoveService. Fixes a bug where config reloads would kill persisted services/checks. Also fixes an edge case: 1. A service or check is registered via the HTTP API 2. A new service or check definition with the same ID is added to config 3. Config is reloaded The desired behavior (which this implements) is: 1. All services and checks deregistered in memory 2. All services and checks in config are registered first 3. All persisted checks are restored using the same logic as the agent start sequence, which prioritizes config over persisted, and removes any persistence files if new config counterparts are present.
2014-11-26 07:58:02 +00:00
}
agent: refactor loadChecks/loadServices, fixes a few minor bugs
2015-06-04 21:33:30 +00:00
for _, fi := range files {
// Skip all dirs
if fi.IsDir() {
continue
}
agent: allow config reload to modify checks/services persistence This change consolidates loading services and checks from both config and persisted state into methods on the agent. As part of this, we introduce optional persistence when calling RemoveCheck/RemoveService. Fixes a bug where config reloads would kill persisted services/checks. Also fixes an edge case: 1. A service or check is registered via the HTTP API 2. A new service or check definition with the same ID is added to config 3. Config is reloaded The desired behavior (which this implements) is: 1. All services and checks deregistered in memory 2. All services and checks in config are registered first 3. All persisted checks are restored using the same logic as the agent start sequence, which prioritizes config over persisted, and removes any persistence files if new config counterparts are present.
2014-11-26 07:58:02 +00:00
Clean up temporary files on write errors, and ignore any temporary service files on load with a warning. This fixes #3207
2017-07-24 17:37:14 +00:00
// Skip all partially written temporary files
if strings.HasSuffix(fi.Name(), "tmp") {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Warn("Ignoring temporary service file", "file", fi.Name())
Clean up temporary files on write errors, and ignore any temporary service files on load with a warning. This fixes #3207
2017-07-24 17:37:14 +00:00
continue
}
Removed redundant logging
2017-07-25 02:07:48 +00:00
agent: refactor loadChecks/loadServices, fixes a few minor bugs
2015-06-04 21:33:30 +00:00
// Read the contents into a buffer
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
file := filepath.Join(svcDir, fi.Name())
buf, err := ioutil.ReadFile(file)
agent: consolidate service loading code, better logging
2015-01-08 05:24:47 +00:00
if err != nil {
agent: refactor loadChecks/loadServices, fixes a few minor bugs
2015-06-04 21:33:30 +00:00
return fmt.Errorf("failed reading service file %q: %s", file, err)
agent: consolidate service loading code, better logging
2015-01-08 05:24:47 +00:00
}
agent: refactor loadChecks/loadServices, fixes a few minor bugs
2015-06-04 21:33:30 +00:00
// Try decoding the service definition
var p persistedService
if err := json.Unmarshal(buf, &p); err != nil {
agent: backwards compat for persisted services from pre-0.5.1
2015-04-28 19:18:41 +00:00
// Backwards-compatibility for pre-0.5.1 persisted services
agent: refactor loadChecks/loadServices, fixes a few minor bugs
2015-06-04 21:33:30 +00:00
if err := json.Unmarshal(buf, &p.Service); err != nil {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Error("Failed decoding service file",
"file", file,
"error", err,
)
Add graceful handling of malformed persisted service/check files. Previously a change was made to make the file writing atomic, but that wasn't enough to cover something like an OS crash so we needed something here to handle the situation more gracefully. Fixes #1221.
2018-01-19 22:07:36 +00:00
continue
agent: backwards compat for persisted services from pre-0.5.1
2015-04-28 19:18:41 +00:00
}
agent: consolidate service loading code, better logging
2015-01-08 05:24:47 +00:00
}
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
serviceID := p.Service.CompoundServiceID()
agent: consolidate service loading code, better logging
2015-01-08 05:24:47 +00:00
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
source, ok := ConfigSourceFromName(p.Source)
if !ok {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Warn("service exists with invalid source, purging",
"service", serviceID.String(),
"source", p.Source,
)
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
if err := a.purgeService(serviceID); err != nil {
return fmt.Errorf("failed purging service %q: %s", serviceID, err)
}
if err := a.purgeServiceConfig(serviceID); err != nil {
return fmt.Errorf("failed purging service config %q: %s", serviceID, err)
}
continue
}
local state: tests compile
2017-08-28 12:17:13 +00:00
if a.State.Service(serviceID) != nil {
agent: consolidate service loading code, better logging
2015-01-08 05:24:47 +00:00
// Purge previously persisted service. This allows config to be
// preferred over services persisted from the API.
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Debug("service exists, not restoring from file",
"service", serviceID.String(),
"file", file,
)
agent: refactor loadChecks/loadServices, fixes a few minor bugs
2015-06-04 21:33:30 +00:00
if err := a.purgeService(serviceID); err != nil {
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
return fmt.Errorf("failed purging service %q: %s", serviceID.String(), err)
agent: refactor loadChecks/loadServices, fixes a few minor bugs
2015-06-04 21:33:30 +00:00
}
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
if err := a.purgeServiceConfig(serviceID); err != nil {
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
return fmt.Errorf("failed purging service config %q: %s", serviceID.String(), err)
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
}
agent: consolidate service loading code, better logging
2015-01-08 05:24:47 +00:00
} else {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Debug("restored service definition from file",
"service", serviceID.String(),
"file", file,
)
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
err = a.addServiceLocked(&addServiceRequest{
service: p.Service,
chkTypes: nil,
previousDefaults: persistedServiceConfigs[serviceID],
waitForCentralConfig: false, // exclusively use cached values
persist: false, // don't rewrite the file with the same data we just read
persistServiceConfig: false, // don't rewrite the file with the same data we just read
token: p.Token,
replaceExistingChecks: false, // do default behavior
source: source,
agent: when enable_central_service_config is enabled ensure agent reload doesn't revert check state to critical (#8747) Likely introduced when #7345 landed.
2020-09-24 21:24:04 +00:00
snap: snap,
})
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
if err != nil {
agent: refactor loadChecks/loadServices, fixes a few minor bugs
2015-06-04 21:33:30 +00:00
return fmt.Errorf("failed adding service %q: %s", serviceID, err)
}
agent: consolidate service loading code, better logging
2015-01-08 05:24:47 +00:00
}
agent: refactor loadChecks/loadServices, fixes a few minor bugs
2015-06-04 21:33:30 +00:00
}
agent: consolidate service loading code, better logging
2015-01-08 05:24:47 +00:00
docs: document exported functions in agent.go (closes #7101) (#7366) and fix one linter error
2020-04-01 20:52:23 +00:00
for serviceID := range persistedServiceConfigs {
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
if a.State.Service(serviceID) == nil {
// This can be cleaned up now.
if err := a.purgeServiceConfig(serviceID); err != nil {
return fmt.Errorf("failed purging service config %q: %s", serviceID, err)
}
}
}
agent: refactor loadChecks/loadServices, fixes a few minor bugs
2015-06-04 21:33:30 +00:00
return nil
agent: allow config reload to modify checks/services persistence This change consolidates loading services and checks from both config and persisted state into methods on the agent. As part of this, we introduce optional persistence when calling RemoveCheck/RemoveService. Fixes a bug where config reloads would kill persisted services/checks. Also fixes an edge case: 1. A service or check is registered via the HTTP API 2. A new service or check definition with the same ID is added to config 3. Config is reloaded The desired behavior (which this implements) is: 1. All services and checks deregistered in memory 2. All services and checks in config are registered first 3. All persisted checks are restored using the same logic as the agent start sequence, which prioritizes config over persisted, and removes any persistence files if new config counterparts are present.
2014-11-26 07:58:02 +00:00
}
local state: address review comments * move non-blocking notification mechanism into ae.Trigger * move Pause/Resume into separate type
2017-08-30 10:25:49 +00:00
// unloadServices will deregister all services.
agent: separate service and check loading/unloading concerns
2015-01-08 02:05:46 +00:00
func (a *Agent) unloadServices() error {
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
for id := range a.State.Services(structs.WildcardEnterpriseMeta()) {
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
if err := a.removeServiceLocked(id, false); err != nil {
agent: simplify some loops
2017-08-28 12:17:11 +00:00
return fmt.Errorf("Failed deregistering service '%s': %v", id, err)
agent: allow config reload to modify checks/services persistence This change consolidates loading services and checks from both config and persisted state into methods on the agent. As part of this, we introduce optional persistence when calling RemoveCheck/RemoveService. Fixes a bug where config reloads would kill persisted services/checks. Also fixes an edge case: 1. A service or check is registered via the HTTP API 2. A new service or check definition with the same ID is added to config 3. Config is reloaded The desired behavior (which this implements) is: 1. All services and checks deregistered in memory 2. All services and checks in config are registered first 3. All persisted checks are restored using the same logic as the agent start sequence, which prioritizes config over persisted, and removes any persistence files if new config counterparts are present.
2014-11-26 07:58:02 +00:00
}
}
agent: separate service and check loading/unloading concerns
2015-01-08 02:05:46 +00:00
return nil
}
// loadChecks loads check definitions and/or persisted check definitions from
// disk and re-registers them with the local agent.
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
func (a *Agent) loadChecks(conf *config.RuntimeConfig, snap map[structs.CheckID]*structs.HealthCheck) error {
agent: allow config reload to modify checks/services persistence This change consolidates loading services and checks from both config and persisted state into methods on the agent. As part of this, we introduce optional persistence when calling RemoveCheck/RemoveService. Fixes a bug where config reloads would kill persisted services/checks. Also fixes an edge case: 1. A service or check is registered via the HTTP API 2. A new service or check definition with the same ID is added to config 3. Config is reloaded The desired behavior (which this implements) is: 1. All services and checks deregistered in memory 2. All services and checks in config are registered first 3. All persisted checks are restored using the same logic as the agent start sequence, which prioritizes config over persisted, and removes any persistence files if new config counterparts are present.
2014-11-26 07:58:02 +00:00
// Register the checks from config
for _, check := range conf.Checks {
health := check.HealthCheck(conf.NodeName)
agent: avoid reverting any check updates that occur while a service is being added or the config is reloaded (#6144)
2019-07-17 19:06:50 +00:00
// Restore the fields from the snapshot.
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
if prev, ok := snap[health.CompoundCheckID()]; ok {
agent: avoid reverting any check updates that occur while a service is being added or the config is reloaded (#6144)
2019-07-17 19:06:50 +00:00
health.Output = prev.Output
health.Status = prev.Status
}
agent: support custom check id and name This patch adds support for a custom check id and name when registering a service. This is achieved by adding a CheckID and a Name field to the CheckType structure which is used to register checks with a service and when returning health check definitions. CheckDefinition is a superset of CheckType which duplicates some of the fields of CheckType. This patch decouples these two structures by removing the embedding of CheckType in CheckDefinition. Fixes #3047
2017-05-15 19:49:13 +00:00
chkType := check.CheckType()
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
if err := a.addCheckLocked(health, chkType, false, check.Token, ConfigSourceLocal); err != nil {
agent: allow config reload to modify checks/services persistence This change consolidates loading services and checks from both config and persisted state into methods on the agent. As part of this, we introduce optional persistence when calling RemoveCheck/RemoveService. Fixes a bug where config reloads would kill persisted services/checks. Also fixes an edge case: 1. A service or check is registered via the HTTP API 2. A new service or check definition with the same ID is added to config 3. Config is reloaded The desired behavior (which this implements) is: 1. All services and checks deregistered in memory 2. All services and checks in config are registered first 3. All persisted checks are restored using the same logic as the agent start sequence, which prioritizes config over persisted, and removes any persistence files if new config counterparts are present.
2014-11-26 07:58:02 +00:00
return fmt.Errorf("Failed to register check '%s': %v %v", check.Name, err, check)
}
}
// Load any persisted checks
agent: consolidate service loading code, better logging
2015-01-08 05:24:47 +00:00
checkDir := filepath.Join(a.config.DataDir, checksDir)
agent: refactor loadChecks/loadServices, fixes a few minor bugs
2015-06-04 21:33:30 +00:00
files, err := ioutil.ReadDir(checkDir)
if err != nil {
if os.IsNotExist(err) {
return nil
}
return fmt.Errorf("Failed reading checks dir %q: %s", checkDir, err)
agent: allow config reload to modify checks/services persistence This change consolidates loading services and checks from both config and persisted state into methods on the agent. As part of this, we introduce optional persistence when calling RemoveCheck/RemoveService. Fixes a bug where config reloads would kill persisted services/checks. Also fixes an edge case: 1. A service or check is registered via the HTTP API 2. A new service or check definition with the same ID is added to config 3. Config is reloaded The desired behavior (which this implements) is: 1. All services and checks deregistered in memory 2. All services and checks in config are registered first 3. All persisted checks are restored using the same logic as the agent start sequence, which prioritizes config over persisted, and removes any persistence files if new config counterparts are present.
2014-11-26 07:58:02 +00:00
}
agent: refactor loadChecks/loadServices, fixes a few minor bugs
2015-06-04 21:33:30 +00:00
for _, fi := range files {
// Ignore dirs - we only care about the check definition files
if fi.IsDir() {
continue
}
agent: allow config reload to modify checks/services persistence This change consolidates loading services and checks from both config and persisted state into methods on the agent. As part of this, we introduce optional persistence when calling RemoveCheck/RemoveService. Fixes a bug where config reloads would kill persisted services/checks. Also fixes an edge case: 1. A service or check is registered via the HTTP API 2. A new service or check definition with the same ID is added to config 3. Config is reloaded The desired behavior (which this implements) is: 1. All services and checks deregistered in memory 2. All services and checks in config are registered first 3. All persisted checks are restored using the same logic as the agent start sequence, which prioritizes config over persisted, and removes any persistence files if new config counterparts are present.
2014-11-26 07:58:02 +00:00
agent: refactor loadChecks/loadServices, fixes a few minor bugs
2015-06-04 21:33:30 +00:00
// Read the contents into a buffer
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
file := filepath.Join(checkDir, fi.Name())
buf, err := ioutil.ReadFile(file)
agent: consolidate service loading code, better logging
2015-01-08 05:24:47 +00:00
if err != nil {
agent: refactor loadChecks/loadServices, fixes a few minor bugs
2015-06-04 21:33:30 +00:00
return fmt.Errorf("failed reading check file %q: %s", file, err)
agent: consolidate service loading code, better logging
2015-01-08 05:24:47 +00:00
}
agent: refactor loadChecks/loadServices, fixes a few minor bugs
2015-06-04 21:33:30 +00:00
// Decode the check
agent: consolidate service loading code, better logging
2015-01-08 05:24:47 +00:00
var p persistedCheck
agent: refactor loadChecks/loadServices, fixes a few minor bugs
2015-06-04 21:33:30 +00:00
if err := json.Unmarshal(buf, &p); err != nil {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Error("Failed decoding check file",
"file", file,
"error", err,
)
Add graceful handling of malformed persisted service/check files. Previously a change was made to make the file writing atomic, but that wasn't enough to cover something like an OS crash so we needed something here to handle the situation more gracefully. Fixes #1221.
2018-01-19 22:07:36 +00:00
continue
agent: consolidate service loading code, better logging
2015-01-08 05:24:47 +00:00
}
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
checkID := p.Check.CompoundCheckID()
agent: consolidate service loading code, better logging
2015-01-08 05:24:47 +00:00
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
source, ok := ConfigSourceFromName(p.Source)
if !ok {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Warn("check exists with invalid source, purging",
"check", checkID.String(),
"source", p.Source,
)
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
if err := a.purgeCheck(checkID); err != nil {
return fmt.Errorf("failed purging check %q: %s", checkID, err)
}
continue
}
local state: tests compile
2017-08-28 12:17:13 +00:00
if a.State.Check(checkID) != nil {
agent: consolidate service loading code, better logging
2015-01-08 05:24:47 +00:00
// Purge previously persisted check. This allows config to be
// preferred over persisted checks from the API.
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Debug("check exists, not restoring from file",
"check", checkID.String(),
"file", file,
)
agent: refactor loadChecks/loadServices, fixes a few minor bugs
2015-06-04 21:33:30 +00:00
if err := a.purgeCheck(checkID); err != nil {
return fmt.Errorf("Failed purging check %q: %s", checkID, err)
}
agent: consolidate service loading code, better logging
2015-01-08 05:24:47 +00:00
} else {
// Default check to critical to avoid placing potentially unhealthy
// services into the active pool
Remove duplicate constants This patch removes duplicate internal copies of constants in the structs package which are also defined in the api package. The api.KVOp type with all its values for the TXN endpoint and the api.HealthXXX constants are now used throughout the codebase. This resulted in some circular dependencies in the testutil package which have been resolved by copying code and constants and moving the WaitForLeader function into a separate testrpc package.
2017-04-19 23:00:11 +00:00
p.Check.Status = api.HealthCritical
agent: consolidate service loading code, better logging
2015-01-08 05:24:47 +00:00
agent: avoid reverting any check updates that occur while a service is being added or the config is reloaded (#6144)
2019-07-17 19:06:50 +00:00
// Restore the fields from the snapshot.
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
if prev, ok := snap[p.Check.CompoundCheckID()]; ok {
agent: avoid reverting any check updates that occur while a service is being added or the config is reloaded (#6144)
2019-07-17 19:06:50 +00:00
p.Check.Output = prev.Output
p.Check.Status = prev.Status
}
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
if err := a.addCheckLocked(p.Check, p.ChkType, false, p.Token, source); err != nil {
agent: warn and purge checks which cannot be restored from agent state
2015-03-11 23:13:19 +00:00
// Purge the check if it is unable to be restored.
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Warn("Failed to restore check",
"check", checkID.String(),
"error", err,
)
agent: refactor loadChecks/loadServices, fixes a few minor bugs
2015-06-04 21:33:30 +00:00
if err := a.purgeCheck(checkID); err != nil {
return fmt.Errorf("Failed purging check %q: %s", checkID, err)
}
agent: warn and purge checks which cannot be restored from agent state
2015-03-11 23:13:19 +00:00
}
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Debug("restored health check from file",
"check", p.Check.CheckID,
"file", file,
)
agent: consolidate service loading code, better logging
2015-01-08 05:24:47 +00:00
}
agent: refactor loadChecks/loadServices, fixes a few minor bugs
2015-06-04 21:33:30 +00:00
}
agent: consolidate service loading code, better logging
2015-01-08 05:24:47 +00:00
agent: refactor loadChecks/loadServices, fixes a few minor bugs
2015-06-04 21:33:30 +00:00
return nil
agent: allow config reload to modify checks/services persistence This change consolidates loading services and checks from both config and persisted state into methods on the agent. As part of this, we introduce optional persistence when calling RemoveCheck/RemoveService. Fixes a bug where config reloads would kill persisted services/checks. Also fixes an edge case: 1. A service or check is registered via the HTTP API 2. A new service or check definition with the same ID is added to config 3. Config is reloaded The desired behavior (which this implements) is: 1. All services and checks deregistered in memory 2. All services and checks in config are registered first 3. All persisted checks are restored using the same logic as the agent start sequence, which prioritizes config over persisted, and removes any persistence files if new config counterparts are present.
2014-11-26 07:58:02 +00:00
}
agent: separate service and check loading/unloading concerns
2015-01-08 02:05:46 +00:00
// unloadChecks will deregister all checks known to the local agent.
func (a *Agent) unloadChecks() error {
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
for id := range a.State.Checks(structs.WildcardEnterpriseMeta()) {
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
if err := a.removeCheckLocked(id, false); err != nil {
agent: simplify some loops
2017-08-28 12:17:11 +00:00
return fmt.Errorf("Failed deregistering check '%s': %s", id, err)
agent: separate service and check loading/unloading concerns
2015-01-08 02:05:46 +00:00
}
}
return nil
}
agent: first pass at service maintenance mode
2015-01-15 08:16:34 +00:00
agent: Snapshot and restore health state on reload. Fixes #693
2015-02-17 20:00:04 +00:00
// snapshotCheckState is used to snapshot the current state of the health
// checks. This is done before we reload our checks, so that we can properly
// restore into the same state.
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
func (a *Agent) snapshotCheckState() map[structs.CheckID]*structs.HealthCheck {
return a.State.Checks(structs.WildcardEnterpriseMeta())
agent: Snapshot and restore health state on reload. Fixes #693
2015-02-17 20:00:04 +00:00
}
Validate metadata config earlier and handle multiple filters
2017-01-11 19:41:12 +00:00
// loadMetadata loads node metadata fields from the agent config and
Add support for setting node metadata fields
2017-01-05 22:10:26 +00:00
// updates them on the local agent.
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
2017-09-25 18:40:42 +00:00
func (a *Agent) loadMetadata(conf *config.RuntimeConfig) error {
local state: move to separate package This patch moves the local state to a separate package to further decouple it from the agent code. The code compiles but the tests do not yet.
2017-08-28 12:17:12 +00:00
meta := map[string]string{}
for k, v := range conf.NodeMeta {
meta[k] = v
Validate metadata config earlier and handle multiple filters
2017-01-11 19:41:12 +00:00
}
local state: move to separate package This patch moves the local state to a separate package to further decouple it from the agent code. The code compiles but the tests do not yet.
2017-08-28 12:17:12 +00:00
meta[structs.MetaSegmentKey] = conf.SegmentName
local state: tests compile
2017-08-28 12:17:13 +00:00
return a.State.LoadMetadata(meta)
Validate metadata config earlier and handle multiple filters
2017-01-11 19:41:12 +00:00
}
Add support for setting node metadata fields
2017-01-05 22:10:26 +00:00
// unloadMetadata resets the local metadata state
Validate metadata config earlier and handle multiple filters
2017-01-11 19:41:12 +00:00
func (a *Agent) unloadMetadata() {
local state: tests compile
2017-08-28 12:17:13 +00:00
a.State.UnloadMetadata()
Add support for setting node metadata fields
2017-01-05 22:10:26 +00:00
}
agent: maintenance logging + unique service check IDs
2015-01-15 20:20:57 +00:00
// serviceMaintCheckID returns the ID of a given service's maintenance check
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
func serviceMaintCheckID(serviceID structs.ServiceID) structs.CheckID {
agent/structs: Remove ServiceID.Init and CheckID.Init The Init method provided the same functionality as the New constructor. The constructor is both more widely used, and more idiomatic, so remove the Init method. This change is in preparation for fixing printing of these IDs.
2020-04-15 16:03:29 +00:00
cid := types.CheckID(structs.ServiceMaintPrefix + serviceID.ID)
return structs.NewCheckID(cid, &serviceID.EnterpriseMeta)
agent: maintenance logging + unique service check IDs
2015-01-15 20:20:57 +00:00
}
agent: test agent service maintenance mode
2015-01-15 08:25:36 +00:00
// EnableServiceMaintenance will register a false health check against the given
// service ID with critical status. This will exclude the service from queries.
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
func (a *Agent) EnableServiceMaintenance(serviceID structs.ServiceID, reason, token string) error {
service := a.State.Service(serviceID)
if service == nil {
return fmt.Errorf("No service registered with ID %q", serviceID.String())
agent: first pass at service maintenance mode
2015-01-15 08:16:34 +00:00
}
agent: maintenance logging + unique service check IDs
2015-01-15 20:20:57 +00:00
// Check if maintenance mode is not already enabled
checkID := serviceMaintCheckID(serviceID)
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
if a.State.Check(checkID) != nil {
agent: maintenance mode api's are idempotent
2015-01-15 18:51:00 +00:00
return nil
agent: first pass at service maintenance mode
2015-01-15 08:16:34 +00:00
}
agent: support passing ?reason= for custom notes field values on maintenance checks
2015-01-21 20:21:57 +00:00
// Use default notes if no reason provided
if reason == "" {
agent: use const for default maintenance reason strings
2015-01-21 22:45:09 +00:00
reason = defaultServiceMaintReason
agent: support passing ?reason= for custom notes field values on maintenance checks
2015-01-21 20:21:57 +00:00
}
agent: first pass at service maintenance mode
2015-01-15 08:16:34 +00:00
// Create and register the critical health check
check := &structs.HealthCheck{
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
Node: a.config.NodeName,
CheckID: checkID.ID,
Name: "Service Maintenance Mode",
Notes: reason,
ServiceID: service.ID,
ServiceName: service.Service,
Status: api.HealthCritical,
Type: "maintenance",
EnterpriseMeta: checkID.EnterpriseMeta,
agent: first pass at service maintenance mode
2015-01-15 08:16:34 +00:00
}
[Security] Add finer control over script checks (#4715) * Add -enable-local-script-checks options These options allow for a finer control over when script checks are enabled by giving the option to only allow them when they are declared from the local file system. * Add documentation for the new option * Nitpick doc wording
2018-10-11 12:22:11 +00:00
a.AddCheck(check, nil, true, token, ConfigSourceLocal)
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Info("Service entered maintenance mode", "service", serviceID.String())
agent: first pass at service maintenance mode
2015-01-15 08:16:34 +00:00
return nil
}
agent: test agent service maintenance mode
2015-01-15 08:25:36 +00:00
// DisableServiceMaintenance will deregister the fake maintenance mode check
// if the service has been marked as in maintenance.
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
func (a *Agent) DisableServiceMaintenance(serviceID structs.ServiceID) error {
if a.State.Service(serviceID) == nil {
return fmt.Errorf("No service registered with ID %q", serviceID.String())
agent: first pass at service maintenance mode
2015-01-15 08:16:34 +00:00
}
agent: maintenance logging + unique service check IDs
2015-01-15 20:20:57 +00:00
// Check if maintenance mode is enabled
checkID := serviceMaintCheckID(serviceID)
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
if a.State.Check(checkID) == nil {
// maintenance mode is not enabled
agent: maintenance logging + unique service check IDs
2015-01-15 20:20:57 +00:00
return nil
}
agent: first pass at service maintenance mode
2015-01-15 08:16:34 +00:00
// Deregister the maintenance check
agent: maintenance logging + unique service check IDs
2015-01-15 20:20:57 +00:00
a.RemoveCheck(checkID, true)
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Info("Service left maintenance mode", "service", serviceID.String())
agent: maintenance logging + unique service check IDs
2015-01-15 20:20:57 +00:00
agent: first pass at service maintenance mode
2015-01-15 08:16:34 +00:00
return nil
}
agent: node maintenance mode works
2015-01-15 19:20:22 +00:00
// EnableNodeMaintenance places a node into maintenance mode.
agent: thread tokens through for maintenance mode
2015-09-10 18:43:59 +00:00
func (a *Agent) EnableNodeMaintenance(reason, token string) {
agent: node maintenance mode works
2015-01-15 19:20:22 +00:00
// Ensure node maintenance is not already enabled
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
if a.State.Check(structs.NodeMaintCheckID) != nil {
agent: node maintenance mode works
2015-01-15 19:20:22 +00:00
return
}
agent: support passing ?reason= for custom notes field values on maintenance checks
2015-01-21 20:21:57 +00:00
// Use a default notes value
if reason == "" {
agent: use const for default maintenance reason strings
2015-01-21 22:45:09 +00:00
reason = defaultNodeMaintReason
agent: support passing ?reason= for custom notes field values on maintenance checks
2015-01-21 20:21:57 +00:00
}
agent: node maintenance mode works
2015-01-15 19:20:22 +00:00
// Create and register the node maintenance check
check := &structs.HealthCheck{
Node: a.config.NodeName,
Add an API method for determining the best status Given a list of HealthChecks, this determines the "best" status for the collective group. This is useful for nodes and services, which may have multiple checks associated with them.
2016-11-29 21:15:20 +00:00
CheckID: structs.NodeMaint,
agent: node maintenance mode works
2015-01-15 19:20:22 +00:00
Name: "Node Maintenance Mode",
agent: support passing ?reason= for custom notes field values on maintenance checks
2015-01-21 20:21:57 +00:00
Notes: reason,
Remove duplicate constants This patch removes duplicate internal copies of constants in the structs package which are also defined in the api package. The api.KVOp type with all its values for the TXN endpoint and the api.HealthXXX constants are now used throughout the codebase. This resulted in some circular dependencies in the testutil package which have been resolved by copying code and constants and moving the WaitForLeader function into a separate testrpc package.
2017-04-19 23:00:11 +00:00
Status: api.HealthCritical,
Store check type in catalog (#6561)
2019-10-17 18:33:11 +00:00
Type: "maintenance",
agent: node maintenance mode works
2015-01-15 19:20:22 +00:00
}
[Security] Add finer control over script checks (#4715) * Add -enable-local-script-checks options These options allow for a finer control over when script checks are enabled by giving the option to only allow them when they are declared from the local file system. * Add documentation for the new option * Nitpick doc wording
2018-10-11 12:22:11 +00:00
a.AddCheck(check, nil, true, token, ConfigSourceLocal)
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Info("Node entered maintenance mode")
agent: node maintenance mode works
2015-01-15 19:20:22 +00:00
}
// DisableNodeMaintenance removes a node from maintenance mode
func (a *Agent) DisableNodeMaintenance() {
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
if a.State.Check(structs.NodeMaintCheckID) == nil {
agent: maintenance logging + unique service check IDs
2015-01-15 20:20:57 +00:00
return
}
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
a.RemoveCheck(structs.NodeMaintCheckID, true)
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
2020-01-28 23:50:41 +00:00
a.logger.Info("Node left maintenance mode")
agent: node maintenance mode works
2015-01-15 19:20:22 +00:00
}
Adds a slightly more flexible mock system so we can test DNS.
2015-11-12 17:19:33 +00:00
agent: reload limits upon restart
2018-04-08 21:28:29 +00:00
func (a *Agent) loadLimits(conf *config.RuntimeConfig) {
Apply the limits to the clients rpcLimiter
2018-06-11 19:51:17 +00:00
a.config.RPCRateLimit = conf.RPCRateLimit
a.config.RPCMaxBurst = conf.RPCMaxBurst
agent: reload limits upon restart
2018-04-08 21:28:29 +00:00
}
Implement Client Agent Auto Config There are a couple of things in here. First, just like auto encrypt, any Cluster.AutoConfig RPC will implicitly use the less secure RPC mechanism. This drastically modifies how the Consul Agent starts up and moves most of the responsibilities (other than signal handling) from the cli command and into the Agent.
2020-06-10 20:47:35 +00:00
// ReloadConfig will atomically reload all configuration, including
// all services, checks, tokens, metadata, dnsServer configs, etc.
docs: document exported functions in agent.go (closes #7101) (#7366) and fix one linter error
2020-04-01 20:52:23 +00:00
// It will also reload all ongoing watches.
Implement Client Agent Auto Config There are a couple of things in here. First, just like auto encrypt, any Cluster.AutoConfig RPC will implicitly use the less secure RPC mechanism. This drastically modifies how the Consul Agent starts up and moves most of the responsibilities (other than signal handling) from the cli command and into the Agent.
2020-06-10 20:47:35 +00:00
func (a *Agent) ReloadConfig() error {
agent/consul: pass dependencies directly from agent In an upcoming change we will need to pass a grpc.ClientConnPool from BaseDeps into Server. While looking at that change I noticed all of the existing consulOption fields are already on BaseDeps. Instead of duplicating the fields, we can create a struct used by agent/consul, and use that struct in BaseDeps. This allows us to pass along dependencies without translating them into different representations. I also looked at moving all of BaseDeps in agent/consul, however that created some circular imports. Resolving those cycles wouldn't be too bad (it was only an error in agent/consul being imported from cache-types), however this change seems a little better by starting to introduce some structure to BaseDeps. This change is also a small step in reducing the scope of Agent. Also remove some constants that were only used by tests, and move the relevant comment to where the live configuration is set. Removed some validation from NewServer and NewClient, as these are not really runtime errors. They would be code errors, which will cause a panic anyway, so no reason to handle them specially here.
2020-09-14 22:31:07 +00:00
newCfg, err := a.baseDeps.AutoConfig.ReadConfig()
Implement Client Agent Auto Config There are a couple of things in here. First, just like auto encrypt, any Cluster.AutoConfig RPC will implicitly use the less secure RPC mechanism. This drastically modifies how the Consul Agent starts up and moves most of the responsibilities (other than signal handling) from the cli command and into the Agent.
2020-06-10 20:47:35 +00:00
if err != nil {
return err
}
// copy over the existing node id, this cannot be
// changed while running anyways but this prevents
// breaking some existing behavior.
newCfg.NodeID = a.config.NodeID
return a.reloadConfigInternal(newCfg)
}
// reloadConfigInternal is mainly needed for some unit tests. Instead of parsing
// the configuration using CLI flags and on disk config, this just takes a
// runtime configuration and applies it.
func (a *Agent) reloadConfigInternal(newCfg *config.RuntimeConfig) error {
// Change the log level and update it
config: use logging.Config in RuntimeConfig To add structure to RuntimeConfig, and remove the need to translate into a third type.
2020-08-19 17:17:05 +00:00
if logging.ValidateLogLevel(newCfg.Logging.LogLevel) {
a.logger.SetLevel(logging.LevelFromString(newCfg.Logging.LogLevel))
Implement Client Agent Auto Config There are a couple of things in here. First, just like auto encrypt, any Cluster.AutoConfig RPC will implicitly use the less secure RPC mechanism. This drastically modifies how the Consul Agent starts up and moves most of the responsibilities (other than signal handling) from the cli command and into the Agent.
2020-06-10 20:47:35 +00:00
} else {
config: use logging.Config in RuntimeConfig To add structure to RuntimeConfig, and remove the need to translate into a third type.
2020-08-19 17:17:05 +00:00
a.logger.Warn("Invalid log level in new configuration", "level", newCfg.Logging.LogLevel)
newCfg.Logging.LogLevel = a.config.Logging.LogLevel
Implement Client Agent Auto Config There are a couple of things in here. First, just like auto encrypt, any Cluster.AutoConfig RPC will implicitly use the less secure RPC mechanism. This drastically modifies how the Consul Agent starts up and moves most of the responsibilities (other than signal handling) from the cli command and into the Agent.
2020-06-10 20:47:35 +00:00
}
agent: move config reloading into the agent
2017-06-02 12:56:49 +00:00
// Bulk update the services and checks
a.PauseSync()
defer a.ResumeSync()
Register and deregisters services and their checks atomically in the local state (#5012) Prevent race between register and deregister requests by saving them together in the local state on registration. Also adds more cleaning in case of failure when registering services / checks.
2019-03-04 14:34:05 +00:00
a.stateLock.Lock()
defer a.stateLock.Unlock()
agent: avoid reverting any check updates that occur while a service is being added or the config is reloaded (#6144)
2019-07-17 19:06:50 +00:00
// Snapshot the current state, and use that to initialize the checks when
// they are recreated.
agent: move config reloading into the agent
2017-06-02 12:56:49 +00:00
snap := a.snapshotCheckState()
// First unload all checks, services, and metadata. This lets us begin the reload
// with a clean slate.
if err := a.unloadServices(); err != nil {
Fixes watch tracking during reloads and fixes address issue. (#3189) This patch fixes watch registration through the config file and a broken log line when the watch registration fails. It also plumbs all the watch loading through a common function and tweaks the unit test to create the watch before the reload.
2017-06-24 19:52:41 +00:00
return fmt.Errorf("Failed unloading services: %s", err)
agent: move config reloading into the agent
2017-06-02 12:56:49 +00:00
}
if err := a.unloadChecks(); err != nil {
Fixes watch tracking during reloads and fixes address issue. (#3189) This patch fixes watch registration through the config file and a broken log line when the watch registration fails. It also plumbs all the watch loading through a common function and tweaks the unit test to create the watch before the reload.
2017-06-24 19:52:41 +00:00
return fmt.Errorf("Failed unloading checks: %s", err)
agent: move config reloading into the agent
2017-06-02 12:56:49 +00:00
}
a.unloadMetadata()
ACL Token Persistence and Reloading (#5328) This PR adds two features which will be useful for operators when ACLs are in use. 1. Tokens set in configuration files are now reloadable. 2. If `acl.enable_token_persistence` is set to `true` in the configuration, tokens set via the `v1/agent/token` endpoint are now persisted to disk and loaded when the agent starts (or during configuration reload) Note that token persistence is opt-in so our users who do not want tokens on the local disk will see no change. Some other secondary changes: * Refactored a bunch of places where the replication token is retrieved from the token store. This token isn't just for replicating ACLs and now it is named accordingly. * Allowed better paths in the `v1/agent/token/` API. Instead of paths like: `v1/agent/token/acl_replication_token` the path can now be just `v1/agent/token/replication`. The old paths remain to be valid. * Added a couple new API functions to set tokens via the new paths. Deprecated the old ones and pointed to the new names. The names are also generally better and don't imply that what you are setting is for ACLs but rather are setting ACL tokens. There is a minor semantic difference there especially for the replication token as again, its no longer used only for ACL token/policy replication. The new functions will detect 404s and fallback to using the older token paths when talking to pre-1.4.3 agents. * Docs updated to reflect the API additions and to show using the new endpoints. * Updated the ACL CLI set-agent-tokens command to use the non-deprecated APIs.
2019-02-27 19:28:31 +00:00
// Reload tokens - should be done before all the other loading
// to ensure the correct tokens are available for attaching to
// the checks and service registrations.
agent/token: Move token persistence out of agent And into token.Store. This change isolates any awareness of token persistence in a single place. It is a small step in allowing Agent.New to accept its dependencies.
2020-08-17 23:30:25 +00:00
a.tokens.Load(newCfg.ACLTokens, a.logger)
ACL Token Persistence and Reloading (#5328) This PR adds two features which will be useful for operators when ACLs are in use. 1. Tokens set in configuration files are now reloadable. 2. If `acl.enable_token_persistence` is set to `true` in the configuration, tokens set via the `v1/agent/token` endpoint are now persisted to disk and loaded when the agent starts (or during configuration reload) Note that token persistence is opt-in so our users who do not want tokens on the local disk will see no change. Some other secondary changes: * Refactored a bunch of places where the replication token is retrieved from the token store. This token isn't just for replicating ACLs and now it is named accordingly. * Allowed better paths in the `v1/agent/token/` API. Instead of paths like: `v1/agent/token/acl_replication_token` the path can now be just `v1/agent/token/replication`. The old paths remain to be valid. * Added a couple new API functions to set tokens via the new paths. Deprecated the old ones and pointed to the new names. The names are also generally better and don't imply that what you are setting is for ACLs but rather are setting ACL tokens. There is a minor semantic difference there especially for the replication token as again, its no longer used only for ACL token/policy replication. The new functions will detect 404s and fallback to using the older token paths when talking to pre-1.4.3 agents. * Docs updated to reflect the API additions and to show using the new endpoints. * Updated the ACL CLI set-agent-tokens command to use the non-deprecated APIs.
2019-02-27 19:28:31 +00:00
agent: enable reloading of tls config (#5419) This PR introduces reloading tls configuration. Consul will now be able to reload the TLS configuration which previously required a restart. It is not yet possible to turn TLS ON or OFF with these changes. Only when TLS is already turned on, the configuration can be reloaded. Most importantly the certificates and CAs.
2019-03-13 09:29:06 +00:00
if err := a.tlsConfigurator.Update(newCfg.ToTLSUtilConfig()); err != nil {
return fmt.Errorf("Failed reloading tls configuration: %s", err)
}
agent: move config reloading into the agent
2017-06-02 12:56:49 +00:00
// Reload service/check definitions and metadata.
agent: configuration reload preserves check's statuses for services (#7345) This fixes issue #7318 Between versions 1.5.2 and 1.5.3, a regression has been introduced regarding health of services. A patch #6144 had been issued for HealthChecks of nodes, but not for healthchecks of services. What happened when a reload was: 1. save all healthcheck statuses 2. cleanup everything 3. add new services with healthchecks In step 3, the state of healthchecks was taken into account locally, so at step 3, but since we cleaned up at step 2, state was lost. This PR introduces the snap parameter, so step 3 can use information from step 1
2020-03-09 11:59:41 +00:00
if err := a.loadServices(newCfg, snap); err != nil {
Fixes watch tracking during reloads and fixes address issue. (#3189) This patch fixes watch registration through the config file and a broken log line when the watch registration fails. It also plumbs all the watch loading through a common function and tweaks the unit test to create the watch before the reload.
2017-06-24 19:52:41 +00:00
return fmt.Errorf("Failed reloading services: %s", err)
agent: move config reloading into the agent
2017-06-02 12:56:49 +00:00
}
agent: avoid reverting any check updates that occur while a service is being added or the config is reloaded (#6144)
2019-07-17 19:06:50 +00:00
if err := a.loadChecks(newCfg, snap); err != nil {
Fixes watch tracking during reloads and fixes address issue. (#3189) This patch fixes watch registration through the config file and a broken log line when the watch registration fails. It also plumbs all the watch loading through a common function and tweaks the unit test to create the watch before the reload.
2017-06-24 19:52:41 +00:00
return fmt.Errorf("Failed reloading checks: %s", err)
agent: move config reloading into the agent
2017-06-02 12:56:49 +00:00
}
if err := a.loadMetadata(newCfg); err != nil {
Fixes watch tracking during reloads and fixes address issue. (#3189) This patch fixes watch registration through the config file and a broken log line when the watch registration fails. It also plumbs all the watch loading through a common function and tweaks the unit test to create the watch before the reload.
2017-06-24 19:52:41 +00:00
return fmt.Errorf("Failed reloading metadata: %s", err)
agent: move config reloading into the agent
2017-06-02 12:56:49 +00:00
}
Fixes watch tracking during reloads and fixes address issue. (#3189) This patch fixes watch registration through the config file and a broken log line when the watch registration fails. It also plumbs all the watch loading through a common function and tweaks the unit test to create the watch before the reload.
2017-06-24 19:52:41 +00:00
if err := a.reloadWatches(newCfg); err != nil {
return fmt.Errorf("Failed reloading watches: %v", err)
agent: move config reloading into the agent
2017-06-02 12:56:49 +00:00
}
Apply the limits to the clients rpcLimiter
2018-06-11 19:51:17 +00:00
a.loadLimits(newCfg)
Security fixes (#7182) * Mitigate HTTP/RPC Services Allow Unbounded Resource Usage Fixes #7159. Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: Paul Banks <banks@banksco.de>
2020-01-31 16:19:37 +00:00
a.httpConnLimiter.SetConfig(connlimit.Config{
MaxConnsPerClientIP: newCfg.HTTPMaxConnsPerClient,
})
Add support for DNS config hot-reload (#4875) The DNS config parameters `recursors` and `dns_config.*` are now hot reloaded on SIGHUP or `consul reload` and do not need an agent restart to be modified. Config is stored in an atomic.Value and loaded at the beginning of each request. Reloading only affects requests that start _after_ the reload. Ongoing requests are not affected. To match the current behavior the recursor handler is loaded and unloaded as needed on config reload.
2019-04-24 18:11:54 +00:00
for _, s := range a.dnsServers {
if err := s.ReloadConfig(newCfg); err != nil {
return fmt.Errorf("Failed reloading dns config : %v", err)
}
}
Implement bootstrapping proxy defaults from the config file (#5714)
2019-04-26 18:25:03 +00:00
// this only gets used by the consulConfig function and since
// that is only ever done during init and reload here then
// an in place modification is safe as reloads cannot be
Security fixes (#7182) * Mitigate HTTP/RPC Services Allow Unbounded Resource Usage Fixes #7159. Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: Paul Banks <banks@banksco.de>
2020-01-31 16:19:37 +00:00
// concurrent due to both gaining a full lock on the stateLock
Implement bootstrapping proxy defaults from the config file (#5714)
2019-04-26 18:25:03 +00:00
a.config.ConfigEntryBootstrap = newCfg.ConfigEntryBootstrap
agent: stub out auditing functionality in OSS
2020-04-16 22:07:52 +00:00
err := a.reloadEnterprise(newCfg)
if err != nil {
return err
}
Apply the limits to the clients rpcLimiter
2018-06-11 19:51:17 +00:00
// create the config for the rpc server/client
agent: unmethod consulConfig To allow us to move newConsulConfig out of Agent.
2020-07-29 17:49:52 +00:00
consulCfg, err := newConsulConfig(a.config, a.logger)
Apply the limits to the clients rpcLimiter
2018-06-11 19:51:17 +00:00
if err != nil {
return err
}
if err := a.delegate.ReloadConfig(consulCfg); err != nil {
return err
}
agent: reload limits upon restart
2018-04-08 21:28:29 +00:00
Ensure that Cache options are reloaded when `consul reload` is performed. This will apply cache throttling parameters are properly applied: * cache.EntryFetchMaxBurst * cache.EntryFetchRate When values are updated, a log is displayed in info.
2020-08-24 21:33:10 +00:00
if a.cache.ReloadOptions(newCfg.Cache) {
a.logger.Info("Cache options have been updated")
} else {
a.logger.Debug("Cache options have not been modified")
}
Update docs for metrics endpoint
2017-08-08 19:33:30 +00:00
// Update filtered metrics
Refactor to use embedded struct.
2018-06-14 12:52:48 +00:00
metrics.UpdateFilter(newCfg.Telemetry.AllowedPrefixes,
newCfg.Telemetry.BlockedPrefixes)
Update docs for metrics endpoint
2017-08-08 19:33:30 +00:00
local state: tests compile
2017-08-28 12:17:13 +00:00
a.State.SetDiscardCheckOutput(newCfg.DiscardCheckOutput)
agent: add option to discard health output (#3562) * agent: add option to discard health output In high volatile environments consul will have checks with "noisy" output which changes every time even though the status does not change. Since the output is stored in the raft log every health check update unblocks a blocking call on health checks since the raft index has changed even though the status of the health checks may not have changed at all. By discarding the output of the health checks the users can choose a different tradeoff. Less visibility on why a check failed in exchange for a reduced change rate on the raft log. * agent: discard output also when adding a check * agent: add test for discard check output * agent: update docs * go vet * Adds discard_check_output to reloadable config table. * Updates the change log.
2017-10-11 00:04:52 +00:00
Fixes watch tracking during reloads and fixes address issue. (#3189) This patch fixes watch registration through the config file and a broken log line when the watch registration fails. It also plumbs all the watch loading through a common function and tweaks the unit test to create the watch before the reload.
2017-06-24 19:52:41 +00:00
return nil
agent: move config reloading into the agent
2017-06-02 12:56:49 +00:00
}
agent: initialize the cache and cache the CA roots
2018-04-11 08:52:51 +00:00
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
// LocalBlockingQuery performs a blocking query in a generic way against
// local agent state that has no RPC or raft to back it. It uses `hash` parameter
// instead of an `index`.
// `alwaysBlock` determines whether we block if the provided hash is empty.
// Callers like the AgentService endpoint will want to return the current result if a hash isn't provided.
// On the other hand, for cache notifications we always want to block. This avoids an empty first response.
func (a *Agent) LocalBlockingQuery(alwaysBlock bool, hash string, wait time.Duration,
fn func(ws memdb.WatchSet) (string, interface{}, error)) (string, interface{}, error) {
// If we are not blocking we can skip tracking and allocating - nil WatchSet
// is still valid to call Add on and will just be a no op.
var ws memdb.WatchSet
Allow cancelling blocking queries in response to shutting down.
2020-06-24 16:36:54 +00:00
var ctx context.Context = &lib.StopChannelContext{StopCh: a.shutdownCh}
shouldBlock := false
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
if alwaysBlock || hash != "" {
if wait == 0 {
wait = defaultQueryTime
}
if wait > 10*time.Minute {
wait = maxQueryTime
}
// Apply a small amount of jitter to the request.
wait += lib.RandomStagger(wait / 16)
Allow cancelling blocking queries in response to shutting down.
2020-06-24 16:36:54 +00:00
var cancel func()
ctx, cancel = context.WithDeadline(ctx, time.Now().Add(wait))
defer cancel()
shouldBlock = true
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
}
for {
// Must reset this every loop in case the Watch set is already closed but
// hash remains same. In that case we'll need to re-block on ws.Watch()
// again.
ws = memdb.NewWatchSet()
curHash, curResp, err := fn(ws)
if err != nil {
return "", curResp, err
}
// Return immediately if there is no timeout, the hash is different or the
// Watch returns true (indicating timeout fired). Note that Watch on a nil
// WatchSet immediately returns false which would incorrectly cause this to
// loop and repeat again, however we rely on the invariant that ws == nil
// IFF timeout == nil in which case the Watch call is never invoked.
Allow cancelling blocking queries in response to shutting down.
2020-06-24 16:36:54 +00:00
if !shouldBlock || hash != curHash || ws.WatchCtx(ctx) != nil {
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
return curHash, curResp, err
}
// Watch returned false indicating a change was detected, loop and repeat
// the callback to load the new value. If agent sync is paused it means
// local state is currently being bulk-edited e.g. config reload. In this
// case it's likely that local state just got unloaded and may or may not be
// reloaded yet. Wait a short amount of time for Sync to resume to ride out
// typical config reloads.
if syncPauseCh := a.SyncPausedCh(); syncPauseCh != nil {
select {
case <-syncPauseCh:
Allow cancelling blocking queries in response to shutting down.
2020-06-24 16:36:54 +00:00
case <-ctx.Done():
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
}
}
}
}
agent: initialize the cache and cache the CA roots
2018-04-11 08:52:51 +00:00
// registerCache configures the cache and registers all the supported
// types onto the cache. This is NOT safe to call multiple times so
// care should be taken to call this exactly once after the cache
// field has been initialized.
func (a *Agent) registerCache() {
Support Agent Caching for Service Discovery Results (#4541) * Add cache types for catalog/services and health/services and basic test that caching works * Support non-blocking cache types with Cache-Control semantics. * Update API docs to include caching info for every endpoint. * Comment updates per PR feedback. * Add note on caching to the 10,000 foot view on the architecture page to make the new data path more clear. * Document prepared query staleness quirk and force all background requests to AllowStale so we can spread service discovery load across servers.
2018-09-06 10:34:28 +00:00
// Note that you should register the _agent_ as the RPC implementation and not
// the a.delegate directly, otherwise tests that rely on overriding RPC
// routing via a.registerEndpoint will not work.
agent/cache: Make all cache options RegisterOptions Previously the SupportsBlocking option was specified by a method on the type, and all the other options were specified from RegisterOptions. This change moves RegisterOptions to a method on the type, and moves SupportsBlocking into the options struct. Currently there are only 2 cache-types. So all cache-types can implement this method by embedding a struct with those predefined values. In the future if a cache type needs to be registered more than once with different options it can remove the embedded type and implement the method in a way that allows for paramaterization.
2020-04-14 22:29:30 +00:00
a.cache.RegisterType(cachetype.ConnectCARootName, &cachetype.ConnectCARoot{RPC: a})
agent: augment /v1/connect/authorize to cache intentions
2018-04-17 23:26:58 +00:00
Wire up agent leaf endpoint to cache framework to support blocking.
2018-04-30 21:23:49 +00:00
a.cache.RegisterType(cachetype.ConnectCALeafName, &cachetype.ConnectCALeaf{
connect: agent leaf cert caching improvements (#5091) * Add State storage and LastResult argument into Cache so that cache.Types can safely store additional data that is eventually expired. * New Leaf cache type working and basic tests passing. TODO: more extensive testing for the Root change jitter across blocking requests, test concurrent fetches for different leaves interact nicely with rootsWatcher. * Add multi-client and delayed rotation tests. * Typos and cleanup error handling in roots watch * Add comment about how the FetchResult can be used and change ca leaf state to use a non-pointer state. * Plumb test override of root CA jitter through TestAgent so that tests are deterministic again! * Fix failing config test
2019-01-10 12:46:11 +00:00
RPC: a,
Cache: a.cache,
Datacenter: a.config.Datacenter,
TestOverrideCAChangeInitialDelay: a.config.ConnectTestCALeafRootChangeSpread,
Wire up agent leaf endpoint to cache framework to support blocking.
2018-04-30 21:23:49 +00:00
})
agent/cache: Make all cache options RegisterOptions Previously the SupportsBlocking option was specified by a method on the type, and all the other options were specified from RegisterOptions. This change moves RegisterOptions to a method on the type, and moves SupportsBlocking into the options struct. Currently there are only 2 cache-types. So all cache-types can implement this method by embedding a struct with those predefined values. In the future if a cache type needs to be registered more than once with different options it can remove the embedded type and implement the method in a way that allows for paramaterization.
2020-04-14 22:29:30 +00:00
a.cache.RegisterType(cachetype.IntentionMatchName, &cachetype.IntentionMatch{RPC: a})
Support Agent Caching for Service Discovery Results (#4541) * Add cache types for catalog/services and health/services and basic test that caching works * Support non-blocking cache types with Cache-Control semantics. * Update API docs to include caching info for every endpoint. * Comment updates per PR feedback. * Add note on caching to the 10,000 foot view on the architecture page to make the new data path more clear. * Document prepared query staleness quirk and force all background requests to AllowStale so we can spread service discovery load across servers.
2018-09-06 10:34:28 +00:00
agent/cache: Make all cache options RegisterOptions Previously the SupportsBlocking option was specified by a method on the type, and all the other options were specified from RegisterOptions. This change moves RegisterOptions to a method on the type, and moves SupportsBlocking into the options struct. Currently there are only 2 cache-types. So all cache-types can implement this method by embedding a struct with those predefined values. In the future if a cache type needs to be registered more than once with different options it can remove the embedded type and implement the method in a way that allows for paramaterization.
2020-04-14 22:29:30 +00:00
a.cache.RegisterType(cachetype.CatalogServicesName, &cachetype.CatalogServices{RPC: a})
Support Agent Caching for Service Discovery Results (#4541) * Add cache types for catalog/services and health/services and basic test that caching works * Support non-blocking cache types with Cache-Control semantics. * Update API docs to include caching info for every endpoint. * Comment updates per PR feedback. * Add note on caching to the 10,000 foot view on the architecture page to make the new data path more clear. * Document prepared query staleness quirk and force all background requests to AllowStale so we can spread service discovery load across servers.
2018-09-06 10:34:28 +00:00
agent/cache: Make all cache options RegisterOptions Previously the SupportsBlocking option was specified by a method on the type, and all the other options were specified from RegisterOptions. This change moves RegisterOptions to a method on the type, and moves SupportsBlocking into the options struct. Currently there are only 2 cache-types. So all cache-types can implement this method by embedding a struct with those predefined values. In the future if a cache type needs to be registered more than once with different options it can remove the embedded type and implement the method in a way that allows for paramaterization.
2020-04-14 22:29:30 +00:00
a.cache.RegisterType(cachetype.HealthServicesName, &cachetype.HealthServices{RPC: a})
Support Agent Caching for Service Discovery Results (#4541) * Add cache types for catalog/services and health/services and basic test that caching works * Support non-blocking cache types with Cache-Control semantics. * Update API docs to include caching info for every endpoint. * Comment updates per PR feedback. * Add note on caching to the 10,000 foot view on the architecture page to make the new data path more clear. * Document prepared query staleness quirk and force all background requests to AllowStale so we can spread service discovery load across servers.
2018-09-06 10:34:28 +00:00
agent/cache: Make all cache options RegisterOptions Previously the SupportsBlocking option was specified by a method on the type, and all the other options were specified from RegisterOptions. This change moves RegisterOptions to a method on the type, and moves SupportsBlocking into the options struct. Currently there are only 2 cache-types. So all cache-types can implement this method by embedding a struct with those predefined values. In the future if a cache type needs to be registered more than once with different options it can remove the embedded type and implement the method in a way that allows for paramaterization.
2020-04-14 22:29:30 +00:00
a.cache.RegisterType(cachetype.PreparedQueryName, &cachetype.PreparedQuery{RPC: a})
Allow DNS interface to use agent cache (#5300) Adds two new configuration parameters "dns_config.use_cache" and "dns_config.cache_max_age" controlling how DNS requests use the agent cache when querying servers.
2019-02-25 19:06:01 +00:00
agent/cache: Make all cache options RegisterOptions Previously the SupportsBlocking option was specified by a method on the type, and all the other options were specified from RegisterOptions. This change moves RegisterOptions to a method on the type, and moves SupportsBlocking into the options struct. Currently there are only 2 cache-types. So all cache-types can implement this method by embedding a struct with those predefined values. In the future if a cache type needs to be registered more than once with different options it can remove the embedded type and implement the method in a way that allows for paramaterization.
2020-04-14 22:29:30 +00:00
a.cache.RegisterType(cachetype.NodeServicesName, &cachetype.NodeServices{RPC: a})
Fill out the service manager functionality and fix tests
2019-04-23 06:39:02 +00:00
agent/cache: Make all cache options RegisterOptions Previously the SupportsBlocking option was specified by a method on the type, and all the other options were specified from RegisterOptions. This change moves RegisterOptions to a method on the type, and moves SupportsBlocking into the options struct. Currently there are only 2 cache-types. So all cache-types can implement this method by embedding a struct with those predefined values. In the future if a cache type needs to be registered more than once with different options it can remove the embedded type and implement the method in a way that allows for paramaterization.
2020-04-14 22:29:30 +00:00
a.cache.RegisterType(cachetype.ResolvedServiceConfigName, &cachetype.ResolvedServiceConfig{RPC: a})
New Cache Types (#5995) * Add a cache type for the Catalog.ListServices endpoint * Add a cache type for the Catalog.ListDatacenters endpoint
2019-06-24 18:11:34 +00:00
agent/cache: Make all cache options RegisterOptions Previously the SupportsBlocking option was specified by a method on the type, and all the other options were specified from RegisterOptions. This change moves RegisterOptions to a method on the type, and moves SupportsBlocking into the options struct. Currently there are only 2 cache-types. So all cache-types can implement this method by embedding a struct with those predefined values. In the future if a cache type needs to be registered more than once with different options it can remove the embedded type and implement the method in a way that allows for paramaterization.
2020-04-14 22:29:30 +00:00
a.cache.RegisterType(cachetype.CatalogListServicesName, &cachetype.CatalogListServices{RPC: a})
New Cache Types (#5995) * Add a cache type for the Catalog.ListServices endpoint * Add a cache type for the Catalog.ListDatacenters endpoint
2019-06-24 18:11:34 +00:00
agent/cache: Make all cache options RegisterOptions Previously the SupportsBlocking option was specified by a method on the type, and all the other options were specified from RegisterOptions. This change moves RegisterOptions to a method on the type, and moves SupportsBlocking into the options struct. Currently there are only 2 cache-types. So all cache-types can implement this method by embedding a struct with those predefined values. In the future if a cache type needs to be registered more than once with different options it can remove the embedded type and implement the method in a way that allows for paramaterization.
2020-04-14 22:29:30 +00:00
a.cache.RegisterType(cachetype.CatalogServiceListName, &cachetype.CatalogServiceList{RPC: a})
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
agent/cache: Make all cache options RegisterOptions Previously the SupportsBlocking option was specified by a method on the type, and all the other options were specified from RegisterOptions. This change moves RegisterOptions to a method on the type, and moves SupportsBlocking into the options struct. Currently there are only 2 cache-types. So all cache-types can implement this method by embedding a struct with those predefined values. In the future if a cache type needs to be registered more than once with different options it can remove the embedded type and implement the method in a way that allows for paramaterization.
2020-04-14 22:29:30 +00:00
a.cache.RegisterType(cachetype.CatalogDatacentersName, &cachetype.CatalogDatacenters{RPC: a})
Implement Kind based ServiceDump and caching of the ServiceDump RPC
2019-06-20 19:04:39 +00:00
agent/cache: Make all cache options RegisterOptions Previously the SupportsBlocking option was specified by a method on the type, and all the other options were specified from RegisterOptions. This change moves RegisterOptions to a method on the type, and moves SupportsBlocking into the options struct. Currently there are only 2 cache-types. So all cache-types can implement this method by embedding a struct with those predefined values. In the future if a cache type needs to be registered more than once with different options it can remove the embedded type and implement the method in a way that allows for paramaterization.
2020-04-14 22:29:30 +00:00
a.cache.RegisterType(cachetype.InternalServiceDumpName, &cachetype.InternalServiceDump{RPC: a})
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
agent/cache: Make all cache options RegisterOptions Previously the SupportsBlocking option was specified by a method on the type, and all the other options were specified from RegisterOptions. This change moves RegisterOptions to a method on the type, and moves SupportsBlocking into the options struct. Currently there are only 2 cache-types. So all cache-types can implement this method by embedding a struct with those predefined values. In the future if a cache type needs to be registered more than once with different options it can remove the embedded type and implement the method in a way that allows for paramaterization.
2020-04-14 22:29:30 +00:00
a.cache.RegisterType(cachetype.CompiledDiscoveryChainName, &cachetype.CompiledDiscoveryChain{RPC: a})
Implement caching for config entry lists Update agent/cache-types/config_entry.go Co-Authored-By: R.B. Boyer <public@richardboyer.net>
2019-07-02 00:45:42 +00:00
agent/cache: Make all cache options RegisterOptions Previously the SupportsBlocking option was specified by a method on the type, and all the other options were specified from RegisterOptions. This change moves RegisterOptions to a method on the type, and moves SupportsBlocking into the options struct. Currently there are only 2 cache-types. So all cache-types can implement this method by embedding a struct with those predefined values. In the future if a cache type needs to be registered more than once with different options it can remove the embedded type and implement the method in a way that allows for paramaterization.
2020-04-14 22:29:30 +00:00
a.cache.RegisterType(cachetype.GatewayServicesName, &cachetype.GatewayServices{RPC: a})
Ingress Gateways for TCP services (#7509) * Implements a simple, tcp ingress gateway workflow This adds a new type of gateway for allowing Ingress traffic into Connect from external services. Co-authored-by: Chris Piraino <cpiraino@hashicorp.com>
2020-04-16 21:00:48 +00:00
agent/cache: Make all cache options RegisterOptions Previously the SupportsBlocking option was specified by a method on the type, and all the other options were specified from RegisterOptions. This change moves RegisterOptions to a method on the type, and moves SupportsBlocking into the options struct. Currently there are only 2 cache-types. So all cache-types can implement this method by embedding a struct with those predefined values. In the future if a cache type needs to be registered more than once with different options it can remove the embedded type and implement the method in a way that allows for paramaterization.
2020-04-14 22:29:30 +00:00
a.cache.RegisterType(cachetype.ConfigEntriesName, &cachetype.ConfigEntries{RPC: a})
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
Add TLS option and DNS SAN support to ingress config xds: Only set TLS context for ingress listener when requested
2020-04-27 23:36:20 +00:00
a.cache.RegisterType(cachetype.ConfigEntryName, &cachetype.ConfigEntry{RPC: a})
agent/cache: Make all cache options RegisterOptions Previously the SupportsBlocking option was specified by a method on the type, and all the other options were specified from RegisterOptions. This change moves RegisterOptions to a method on the type, and moves SupportsBlocking into the options struct. Currently there are only 2 cache-types. So all cache-types can implement this method by embedding a struct with those predefined values. In the future if a cache type needs to be registered more than once with different options it can remove the embedded type and implement the method in a way that allows for paramaterization.
2020-04-14 22:29:30 +00:00
a.cache.RegisterType(cachetype.ServiceHTTPChecksName, &cachetype.ServiceHTTPChecks{Agent: a})
wan federation via mesh gateways (#6884) This is like a Möbius strip of code due to the fact that low-level components (serf/memberlist) are connected to high-level components (the catalog and mesh-gateways) in a twisty maze of references which make it hard to dive into. With that in mind here's a high level summary of what you'll find in the patch: There are several distinct chunks of code that are affected: * new flags and config options for the server * retry join WAN is slightly different * retry join code is shared to discover primary mesh gateways from secondary datacenters * because retry join logic runs in the *agent* and the results of that operation for primary mesh gateways are needed in the *server* there are some methods like `RefreshPrimaryGatewayFallbackAddresses` that must occur at multiple layers of abstraction just to pass the data down to the right layer. * new cache type `FederationStateListMeshGatewaysName` for use in `proxycfg/xds` layers * the function signature for RPC dialing picked up a new required field (the node name of the destination) * several new RPCs for manipulating a FederationState object: `FederationState:{Apply,Get,List,ListMeshGateways}` * 3 read-only internal APIs for debugging use to invoke those RPCs from curl * raft and fsm changes to persist these FederationStates * replication for FederationStates as they are canonically stored in the Primary and replicated to the Secondaries. * a special derivative of anti-entropy that runs in secondaries to snapshot their local mesh gateway `CheckServiceNodes` and sync them into their upstream FederationState in the primary (this works in conjunction with the replication to distribute addresses for all mesh gateways in all DCs to all other DCs) * a "gateway locator" convenience object to make use of this data to choose the addresses of gateways to use for any given RPC or gossip operation to a remote DC. This gets data from the "retry join" logic in the agent and also directly calls into the FSM. * RPC (`:8300`) on the server sniffs the first byte of a new connection to determine if it's actually doing native TLS. If so it checks the ALPN header for protocol determination (just like how the existing system uses the type-byte marker). * 2 new kinds of protocols are exclusively decoded via this native TLS mechanism: one for ferrying "packet" operations (udp-like) from the gossip layer and one for "stream" operations (tcp-like). The packet operations re-use sockets (using length-prefixing) to cut down on TLS re-negotiation overhead. * the server instances specially wrap the `memberlist.NetTransport` when running with gateway federation enabled (in a `wanfed.Transport`). The general gist is that if it tries to dial a node in the SAME datacenter (deduced by looking at the suffix of the node name) there is no change. If dialing a DIFFERENT datacenter it is wrapped up in a TLS+ALPN blob and sent through some mesh gateways to eventually end up in a server's :8300 port. * a new flag when launching a mesh gateway via `consul connect envoy` to indicate that the servers are to be exposed. This sets a special service meta when registering the gateway into the catalog. * `proxycfg/xds` notice this metadata blob to activate additional watches for the FederationState objects as well as the location of all of the consul servers in that datacenter. * `xds:` if the extra metadata is in place additional clusters are defined in a DC to bulk sink all traffic to another DC's gateways. For the current datacenter we listen on a wildcard name (`server.<dc>.consul`) that load balances all servers as well as one mini-cluster per node (`<node>.server.<dc>.consul`) * the `consul tls cert create` command got a new flag (`-node`) to help create an additional SAN in certs that can be used with this flavor of federation.
2020-03-09 20:59:02 +00:00
agent/cache: Make all cache options RegisterOptions Previously the SupportsBlocking option was specified by a method on the type, and all the other options were specified from RegisterOptions. This change moves RegisterOptions to a method on the type, and moves SupportsBlocking into the options struct. Currently there are only 2 cache-types. So all cache-types can implement this method by embedding a struct with those predefined values. In the future if a cache type needs to be registered more than once with different options it can remove the embedded type and implement the method in a way that allows for paramaterization.
2020-04-14 22:29:30 +00:00
a.cache.RegisterType(cachetype.FederationStateListMeshGatewaysName,
&cachetype.FederationStateListMeshGateways{RPC: a})
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
}
docs: document exported functions in agent.go (closes #7101) (#7366) and fix one linter error
2020-04-01 20:52:23 +00:00
// LocalState returns the agent's local state
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
func (a *Agent) LocalState() *local.State {
return a.State
}
// rerouteExposedChecks will inject proxy address into check targets
// Future calls to check() will dial the proxy listener
// The agent stateLock MUST be held for this to be called
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
func (a *Agent) rerouteExposedChecks(serviceID structs.ServiceID, proxyAddr string) error {
for cid, c := range a.checkHTTPs {
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
if c.ServiceID != serviceID {
continue
}
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
port, err := a.listenerPortLocked(serviceID, cid)
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
if err != nil {
return err
}
c.ProxyHTTP = httpInjectAddr(c.HTTP, proxyAddr, port)
}
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
for cid, c := range a.checkGRPCs {
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
if c.ServiceID != serviceID {
continue
}
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
port, err := a.listenerPortLocked(serviceID, cid)
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
if err != nil {
return err
}
c.ProxyGRPC = grpcInjectAddr(c.GRPC, proxyAddr, port)
}
return nil
}
// resetExposedChecks will set Proxy addr in HTTP checks to empty string
// Future calls to check() will use the original target c.HTTP or c.GRPC
// The agent stateLock MUST be held for this to be called
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
func (a *Agent) resetExposedChecks(serviceID structs.ServiceID) {
ids := make([]structs.CheckID, 0)
for cid, c := range a.checkHTTPs {
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
if c.ServiceID == serviceID {
c.ProxyHTTP = ""
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
ids = append(ids, cid)
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
}
}
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
for cid, c := range a.checkGRPCs {
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
if c.ServiceID == serviceID {
c.ProxyGRPC = ""
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
ids = append(ids, cid)
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
}
}
for _, checkID := range ids {
delete(a.exposedPorts, listenerPortKey(serviceID, checkID))
}
}
// listenerPort allocates a port from the configured range
// The agent stateLock MUST be held when this is called
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
func (a *Agent) listenerPortLocked(svcID structs.ServiceID, checkID structs.CheckID) (int, error) {
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
key := listenerPortKey(svcID, checkID)
if a.exposedPorts == nil {
a.exposedPorts = make(map[string]int)
}
if p, ok := a.exposedPorts[key]; ok {
return p, nil
}
allocated := make(map[int]bool)
for _, v := range a.exposedPorts {
allocated[v] = true
}
var port int
for i := 0; i < a.config.ExposeMaxPort-a.config.ExposeMinPort; i++ {
port = a.config.ExposeMinPort + i
if !allocated[port] {
a.exposedPorts[key] = port
break
}
}
if port == 0 {
return 0, fmt.Errorf("no ports available to expose '%s'", checkID)
}
return port, nil
}
Sync of OSS changes to support namespaces (#6909)
2019-12-10 02:26:41 +00:00
func listenerPortKey(svcID structs.ServiceID, checkID structs.CheckID) string {
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
return fmt.Sprintf("%s:%s", svcID, checkID)
}
// grpcInjectAddr injects an ip and port into an address of the form: ip:port[/service]
func grpcInjectAddr(existing string, ip string, port int) string {
portRepl := fmt.Sprintf("${1}:%d${3}", port)
out := grpcAddrRE.ReplaceAllString(existing, portRepl)
addrRepl := fmt.Sprintf("%s${2}${3}", ip)
out = grpcAddrRE.ReplaceAllString(out, addrRepl)
return out
}
// httpInjectAddr injects a port then an IP into a URL
func httpInjectAddr(url string, ip string, port int) string {
portRepl := fmt.Sprintf("${1}${2}:%d${4}${5}", port)
out := httpAddrRE.ReplaceAllString(url, portRepl)
// Ensure that ipv6 addr is enclosed in brackets (RFC 3986)
ip = fixIPv6(ip)
addrRepl := fmt.Sprintf("${1}%s${3}${4}${5}", ip)
out = httpAddrRE.ReplaceAllString(out, addrRepl)
return out
}
func fixIPv6(address string) string {
if strings.Count(address, ":") < 2 {
return address
}
if !strings.HasSuffix(address, "]") {
address = address + "]"
}
if !strings.HasPrefix(address, "[") {
address = "[" + address
}
return address
agent: initialize the cache and cache the CA roots
2018-04-11 08:52:51 +00:00
}
agent: tolerate more failure scenarios during service registration with central config enabled (#6472) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.
2019-09-24 15:04:48 +00:00
// defaultIfEmpty returns the value if not empty otherwise the default value.
func defaultIfEmpty(val, defaultVal string) string {
if val != "" {
return val
}
return defaultVal
}
Add config changes for UI metrics
2020-09-10 16:25:56 +00:00
// getUIConfig is the canonical way to read the value of the UIConfig at
// runtime. It is thread safe and returns the most recent configuration which
// may have changed since the agent started due to config reload.
func (a *Agent) getUIConfig() config.UIConfig {
if cfg, ok := a.uiConfig.Load().(config.UIConfig); ok {
return cfg
}
// Shouldn't happen but be defensive
return config.UIConfig{}
}