Commit Graph

177 Commits

Author SHA1 Message Date
Matt Keeler a7c55ffed2
Fix acl.enable_key_list to be acl.enable_key_list_policy in docs (#5907) 2019-06-03 09:31:02 -05:00
kaitlincarter-hc 9074778c0c
[docs] Updating links to guides (#5795)
* fixing links in the docs post guide migartion.

* fixed one more

* Update website/source/docs/acl/acl-legacy.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Update website/source/docs/enterprise/connect-multi-datacenter/index.html.md

* Updating based on comments and fixing word wrap

* Update website/source/api/acl-legacy.html.md

* Update website/source/api/acl/acl.html.md

* Update website/source/docs/agent/options.html.md

* Update website/source/docs/faq.html.md

* Update website/source/docs/internals/architecture.html.md

* Update website/source/docs/agent/encryption.html.md
2019-05-15 10:49:41 -05:00
Justin Weissig 4383d22580 docs: fixed typos (#5832)
Fixed typos: persmissions/permissions + regardles/regardless
2019-05-13 10:22:17 -05:00
Brian Flad 51fe3dd37e docs/agent/options: Add go-sockaddr template examples for -bind (#5701)
Reference: https://github.com/hashicorp/consul/issues/4090

Examples covering a variety of potential use cases. Verified via `sockaddr eval` and `console agent -bind` on a test machine:

```console
# Baseline
$ sockaddr eval 'GetAllInterfaces'
[127.0.0.1/8 {1 65536 lo  up|loopback} ::1 {1 65536 lo  up|loopback} 10.0.0.10/8 {2 1500 eth0 b8:27:eb:7b:36:95 up|broadcast|multicast} fe80::12dc:5e4d:8ff8:2d96/64 {2 1500 eth0 b8:27:eb:7b:36:95 up|broadcast|multicast} 192.168.1.10/24 {3 1500 wlan0 b8:27:eb:2e:63:c0 up|broadcast|multicast} fe80::b6dc:5758:c306:b15b/64 {3 1500 wlan0 b8:27:eb:2e:63:c0 up|broadcast|multicast}]

# Using address within a specific CIDR
$ sockaddr eval 'GetPrivateInterfaces | include "network" "10.0.0.0/8" | attr "address"'
10.0.0.10

# Using a static network interface name
$ sockaddr eval 'GetInterfaceIP "eth0"'
10.0.0.10

# Using regular expression matching for network interface name that is forwardable and up
$ sockaddr eval 'GetAllInterfaces | include "name" "^eth" | include "flags" "forwardable|up" | attr "address"'
10.0.0.10
```
2019-05-13 14:08:05 +01:00
Matt Keeler 5385e31fc5
Add some config entry docs (#5808)
* Add some config entry docs

* Update website/source/docs/agent/config_entries.html.md

Co-Authored-By: mkeeler <mkeeler@users.noreply.github.com>

* Update website/source/docs/agent/config_entries.html.md

Co-Authored-By: mkeeler <mkeeler@users.noreply.github.com>

* Get rid of double negative

* Some incremental updates

* Update the config list docs to not point to service-default related things.

* A few more doc updates to get rid of some service-defaults specific linking info in the cli docs

* In progress update

* Update website/source/docs/agent/config_entries.html.md

Co-Authored-By: mkeeler <mkeeler@users.noreply.github.com>

* Reword bootstrap section

* Update example proxy-defaults config

* Finish up the examples section for managing config entries with the CLI

* Update website/source/docs/agent/config_entries.html.md

Co-Authored-By: mkeeler <mkeeler@users.noreply.github.com>

* Use $ for shell command start

* Make it very clear that the normal way to manage things is via the API/CLI

* Update website/source/docs/agent/options.html.md

Co-Authored-By: mkeeler <mkeeler@users.noreply.github.com>
2019-05-08 16:19:37 -04:00
kaitlincarter-hc 2511ad92b9
[docs] WIP ports page (#5693)
* Updating ports information to be consistent accross docs.

* adding some extra notes based on feedback
2019-05-08 11:09:12 -05:00
R.B. Boyer aa18aece2e
docs: adding note about enabling acl token replication for auth methods (#5792) 2019-05-06 11:57:31 -05:00
R.B. Boyer 41dac76ab3
docs: add documentation for all secure acl introduction work (#5640) 2019-05-01 16:11:23 -05:00
Kyle Havlovitz 1de73ff037 Config Entry docs (#5734)
* Add api docs for the config entry endpoints

* Add enable_central_service_config field to agent docs

* Add docs for config entry CLI operations

* Fix wording and links in config entry docs

* Add links to the central service config option

* Update the central service config setting description.
2019-05-01 11:21:11 -07:00
kaitlincarter-hc 4a2ad7d36a
[docs] Fixing API broken links (#5732)
* starting broken link fixes

* Updating the other links for ACLs

* Updating the rest of the links

* fixing acl required links.

* update a bunch of other links

* updated a couple more broken links based on Alvins checker

* removed the extra s
2019-04-30 12:20:51 -05:00
Matt Keeler 3ea9fe3bff
Implement bootstrapping proxy defaults from the config file (#5714) 2019-04-26 14:25:03 -04:00
Freddy fa94b09a99
Clarify -log-rotate-duration string format and default value 2019-04-19 14:07:18 -06:00
kaitlincarter-hc 7859d8c409
[docs] Server Performance (#5627)
* Moving server performance guide to docs.

* fixing broken links

* updating broken link

* fixing broken links
2019-04-17 13:17:12 -05:00
Sarah Christoff f6843713fc Updated Ports Documentation 2019-04-05 12:25:44 -05:00
Alvin Huang e3f3987835
missed a broken link (#5545) 2019-03-25 18:46:10 -04:00
Alvin Huang d686201776 fix broken link 2019-03-22 19:20:48 -04:00
Steve Burns ff8ab320da Add log_file attribute to agent configuration documentation (#5492) 2019-03-18 10:24:49 -07:00
Alex Mayer a73d983d19 Docs Proofing (#5424)
* Docs: Remove default_policy From Code Example

It is not needed according to:
https://www.consul.io/docs/agent/acl-system.html#configuring-acls

* Docs: Cleanup Commands And Their Output On ACL Guide Page

Remove extra spaces and newlines
Ensure rules match input rules

* Docs: Remove Incomplete "Added In Version" Statement

Version added is specified on parent option

* Docs: Fix Broken Links

* Docs: Minor Sentence Tweaks
2019-03-15 09:35:33 -05:00
Hans Hasselberg d511e86491
agent: enable reloading of tls config (#5419)
This PR introduces reloading tls configuration. Consul will now be able to reload the TLS configuration which previously required a restart. It is not yet possible to turn TLS ON or OFF with these changes. Only when TLS is already turned on, the configuration can be reloaded. Most importantly the certificates and CAs.
2019-03-13 10:29:06 +01:00
Masato Yamazaki 774b39dd94 website: delete duplication of "are" (#5464) 2019-03-11 10:42:15 +01:00
R.B. Boyer 66af091de9 website: fix broken links 2019-03-05 14:24:33 -06:00
Hans Hasselberg 330b8aec69 default to tls 1.2 as promised. (#5340) 2019-03-04 09:42:04 -05:00
Aestek ce447e0e16 Fix race condition in DNS when using cache (#5398)
* Fix race condition in DNS when using cache

The healty node filtering was modifying the result from the cache, which
caused a crash when multiple queries were made to the same service
simultaneously.
We now copy the node slice before filtering to ensure we do not modify
the data stored in the cache.

* Fix wording in dns cache config doc

s/dns_max_age/cache_max_age/
2019-03-04 09:22:01 -05:00
Matt Keeler 0c76a4389f
ACL Token Persistence and Reloading (#5328)
This PR adds two features which will be useful for operators when ACLs are in use.

1. Tokens set in configuration files are now reloadable.
2. If `acl.enable_token_persistence` is set to `true` in the configuration, tokens set via the `v1/agent/token` endpoint are now persisted to disk and loaded when the agent starts (or during configuration reload)

Note that token persistence is opt-in so our users who do not want tokens on the local disk will see no change.

Some other secondary changes:

* Refactored a bunch of places where the replication token is retrieved from the token store. This token isn't just for replicating ACLs and now it is named accordingly.
* Allowed better paths in the `v1/agent/token/` API. Instead of paths like: `v1/agent/token/acl_replication_token` the path can now be just `v1/agent/token/replication`. The old paths remain to be valid. 
* Added a couple new API functions to set tokens via the new paths. Deprecated the old ones and pointed to the new names. The names are also generally better and don't imply that what you are setting is for ACLs but rather are setting ACL tokens. There is a minor semantic difference there especially for the replication token as again, its no longer used only for ACL token/policy replication. The new functions will detect 404s and fallback to using the older token paths when talking to pre-1.4.3 agents.
* Docs updated to reflect the API additions and to show using the new endpoints.
* Updated the ACL CLI set-agent-tokens command to use the non-deprecated APIs.
2019-02-27 14:28:31 -05:00
Aestek f8a28d13dd Allow DNS interface to use agent cache (#5300)
Adds two new configuration parameters "dns_config.use_cache" and
"dns_config.cache_max_age" controlling how DNS requests use the agent
cache when querying servers.
2019-02-25 14:06:01 -05:00
Matt Keeler 472b7165fd Fix some docs formatting around DNS SOA RR configuration (#5297) 2019-01-30 16:47:32 -06:00
Paul Banks 1c4dfbcd2e
connect: tame thundering herd of CSRs on CA rotation (#5228)
* Support rate limiting and concurrency limiting CSR requests on servers; handle CA rotations gracefully with jitter and backoff-on-rate-limit in client

* Add CSR rate limiting docs

* Fix config naming and add tests for new CA configs
2019-01-22 17:19:36 +00:00
kaitlincarter-hc fd1c1a656b
Add acl.enable_key_list_policy to agent config docs. (#5227)
* Adding key list parameter to agent config docs.

* Fixed typo in master token section

* Updated based on comments from Paul and Matt.
2019-01-22 10:20:05 -06:00
Aestek 154c41e165 [Security] Allow blocking Write endpoints on Agent using Network Addresses (#4719)
* Add -write-allowed-nets option

* Add documentation for the new write_allowed_nets option
2019-01-10 09:27:26 -05:00
Jack Pearkes 1237bf5d11
website: highlight how to use agent certs for tls checks (#5086)
Also clarifies that HTTP and gRPC checks both use the same
TLS configuration.
2018-12-18 16:47:52 -08:00
Jack Pearkes 9d170164e4
Documentation and changes for `verify_server_hostname` (#5069)
* verify_server_hostname implies verify_outgoing

* mention CVE in the docs.
2018-12-06 13:51:49 -08:00
Paul Banks 9a849faeb8
Update security notices around script checks 2018-11-27 17:15:17 +00:00
Kyle Havlovitz b0dcf54e50
Merge pull request #4917 from hashicorp/replication-token-cleanup
Use acl replication_token for connect
2018-11-12 09:12:54 -08:00
Kyle Havlovitz 69a8d149d5
docs: remove leftover typo from replication_token info 2018-11-07 09:22:23 -08:00
Kyle Havlovitz 60bb53d4e6
config: remote connect replication_token 2018-11-07 02:15:37 -08:00
Jack Pearkes a2485f60af
website: clarify log file filename format (#4856)
Fixes #4697
2018-10-29 09:29:14 -07:00
Paul Banks e2fa2b133b Correct prometheus docs (#4805) 2018-10-26 12:11:57 -07:00
Jack Pearkes b6cb4f3465
Fix some broken links in docs (#4858)
* website: let curl make noise during website deploy

* website: fix a handful of broken links
2018-10-26 10:55:12 -07:00
Matt Keeler b816bee165 ACL documentation (#4824)
* Updating the ACL guide.

* Update the docs correctly

* Finish updating the ACL docs - for now.
2018-10-19 13:26:31 -07:00
Jack Pearkes 197d62c6ca New command: consul debug (#4754)
* agent/debug: add package for debugging, host info

* api: add v1/agent/host endpoint

* agent: add v1/agent/host endpoint

* command/debug: implementation of static capture

* command/debug: tests and only configured targets

* agent/debug: add basic test for host metrics

* command/debug: add methods for dynamic data capture

* api: add debug/pprof endpoints

* command/debug: add pprof

* command/debug: timing, wg, logs to disk

* vendor: add gopsutil/disk

* command/debug: add a usage section

* website: add docs for consul debug

* agent/host: require operator:read

* api/host: improve docs and no retry timing

* command/debug: fail on extra arguments

* command/debug: fixup file permissions to 0644

* command/debug: remove server flags

* command/debug: improve clarity of usage section

* api/debug: add Trace for profiling, fix profile

* command/debug: capture profile and trace at the same time

* command/debug: add index document

* command/debug: use "clusters" in place of members

* command/debug: remove address in output

* command/debug: improve comment on metrics sleep

* command/debug: clarify usage

* agent: always register pprof handlers and protect

This will allow us to avoid a restart of a target agent
for profiling by always registering the pprof handlers.

Given this is a potentially sensitive path, it is protected
with an operator:read ACL and enable debug being
set to true on the target agent. enable_debug still requires
a restart.

If ACLs are disabled, enable_debug is sufficient.

* command/debug: use trace.out instead of .prof

More in line with golang docs.

* agent: fix comment wording

* agent: wrap table driven tests in t.run()
2018-10-19 08:41:03 -07:00
Kyle Havlovitz 96a35f8abc re-add Connect multi-dc config changes
This reverts commit 8bcfbaffb6588b024cd1a3cf0952e6bfa7d9e900.
2018-10-19 08:41:03 -07:00
Jack Pearkes 847a0a5266 Revert "Connect multi-dc config" (#4784) 2018-10-11 17:32:45 +01:00
Aestek 260a9880ae [Security] Add finer control over script checks (#4715)
* Add -enable-local-script-checks options

These options allow for a finer control over when script checks are enabled by
giving the option to only allow them when they are declared from the local
file system.

* Add documentation for the new option

* Nitpick doc wording
2018-10-11 13:22:11 +01:00
Paul Banks 94332edf2e
[WIP] Initial draft of Sidecar Service and Managed Proxy deprecation docs (#4752)
* Initial draft of Sidecar Service and Managed Proxy deprecation docs

* Service definition deprecation notices and sidecar service

* gRPC and sidecar service config options; Deprecate managed proxy options

* Envoy Docs: Basic envoy command; envoy getting started/intro

* Remove change that snuck in

* Envoy custom config example

* Add agent/service API docs; deprecate proxy config endpoint

* Misc grep cleanup for managed proxies; capitalize Envoy

* Updates to getting started guide

* Add missing link

* Refactor Envoy guide into a separate guide and add bootstrap reference notes.

* Add limitations to Envoy docs; Highlight no fixes for known managed proxy issues on deprecation page; clarify snake cae stuff; Sidecar Service lifecycle
2018-10-11 10:44:42 +01:00
Pierre Souchay 42f250fa53 Added SOA configuration for DNS settings. (#4714)
This will allow to fine TUNE SOA settings sent by Consul in DNS responses,
for instance to be able to control negative ttl.

Will fix: https://github.com/hashicorp/consul/issues/4713

# Example

Override all settings:

* min_ttl: 0 => 60s
* retry: 600 (10m) => 300s (5 minutes),
* expire: 86400 (24h) => 43200 (12h)
* refresh: 3600 (1h) => 1800 (30 minutes)

```
consul agent -dev -hcl 'dns_config={soa={min_ttl=60,retry=300,expire=43200,refresh=1800}}'
```

Result:
```
dig +multiline @localhost -p 8600 service.consul

; <<>> DiG 9.12.1 <<>> +multiline @localhost -p 8600 service.consul
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36557
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;service.consul.		IN A

;; AUTHORITY SECTION:
consul.			0 IN SOA ns.consul. hostmaster.consul. (
				1537959133 ; serial
				1800       ; refresh (30 minutes)
				300        ; retry (5 minutes)
				43200      ; expire (12 hours)
				60         ; minimum (1 minute)
				)

;; Query time: 4 msec
;; SERVER: 127.0.0.1#8600(127.0.0.1)
;; WHEN: Wed Sep 26 12:52:13 CEST 2018
;; MSG SIZE  rcvd: 93
```
2018-10-10 15:50:56 -04:00
Kyle Havlovitz 0cbd176a48 connect/ca: more OSS split for multi-dc 2018-10-10 12:17:59 -07:00
Kyle Havlovitz 475afd0300 docs: deprecate acl_datacenter and replace it with primary_datacenter 2018-10-10 12:16:47 -07:00
danielehc 20ae959be8 Update options.html.md (#4753) 2018-10-04 19:28:26 +01:00
Siva Prasad 59dea9a31f
Adds a new command line flag -log-file for file based logging. (#4581)
* Added log-file flag to capture Consul logs in a user specified file

* Refactored code.

* Refactored code. Added flags to rotate logs based on bytes and duration

* Added the flags for log file and log rotation on the webpage

* Fixed TestSantize from failing due to the addition of 3 flags

* Introduced changes : mutex, data-dir log writes, rotation logic

* Added test for logfile and updated the default log destination for docs

* Log name now uses UnixNano

* TestLogFile is now uses t.Parallel()

* Removed unnecessary int64Val function

* Updated docs to reflect default log name for log-file

* No longer writes to data-dir and adds .log if the filename has no extension
2018-08-29 16:56:58 -04:00
Jack Pearkes 5c993a3f5f
Clarification for serf_wan documentation (#4459)
* updates docs for agent options

trying to add a little more clarity to suggestion that folks should use
port 8302 for both LAN and WAN comms

* website: clarify language for serf wan port behavior
2018-08-02 10:25:25 -07:00