Commit graph

615 commits

Author SHA1 Message Date
Armon Dadgar 9152fae109 consul: First pass at tombstone reaping 2015-01-05 14:43:55 -08:00
Armon Dadgar 0c9cbdb3d1 consul: TombstoneReapRequestType -> TombstoneRequestType 2015-01-05 14:43:55 -08:00
Armon Dadgar 8681d913ba consul: Generate a raft operation to reap tombstones 2015-01-05 14:43:55 -08:00
Armon Dadgar 02e984e4c4 consul: Adding new request to reap tombstones 2015-01-05 14:43:55 -08:00
Armon Dadgar 9f30ffbf9a consul: Leader should reset the tombstone GC clock 2015-01-05 14:43:55 -08:00
Armon Dadgar fb8f7fd929 consul: Adding PendingExpiration 2015-01-05 14:43:55 -08:00
Armon Dadgar 71c2c1468d consul: Thread Tombstone GC through 2015-01-05 14:43:55 -08:00
Armon Dadgar ae69cbca7b consul: Fixing accidental commit of transaction 2015-01-05 14:43:54 -08:00
Armon Dadgar 4da4e322a3 consul: Fixing tombstone creation and hinting of GC 2015-01-05 14:43:54 -08:00
Armon Dadgar 1a9431847b consul: Adding GetTxnLimit to MDBTable 2015-01-05 14:43:54 -08:00
Armon Dadgar 2724061351 consul: Support reset of tombstone GC 2015-01-05 14:43:54 -08:00
Armon Dadgar 4430f4592d consul: Adding TombstoneGC to track TTLs 2015-01-05 14:43:54 -08:00
Armon Dadgar 3e2bd0db2c consul: Rename TombstoneGC to TombstoneTTL 2015-01-05 14:43:54 -08:00
Armon Dadgar 68caf9046c consul: Create tombstones before key deletes 2015-01-05 14:43:54 -08:00
Armon Dadgar d5369098ba consul: Adding TombstoneGC config 2015-01-05 14:43:54 -08:00
Daniel Malon e56b3861dc advertise specific address for a service
Enable setting a specific address in a service definition for advertise. If no specific address is given it will fallback to the node address and reassemble the old behaviour.
2015-01-02 21:10:05 +00:00
Armon Dadgar 6b9ace19cf consul: Collect useful session metrics 2015-01-02 22:46:51 +05:30
Armon Dadgar d8c65aabee consul: Minor cleanup 2014-12-12 22:17:41 -08:00
Armon Dadgar c0d3798154 consul: Test Session.Apply updates session timers 2014-12-12 21:54:29 -08:00
Armon Dadgar 4d0903f781 consul: Adding more tests for session TTLs 2014-12-12 21:42:59 -08:00
Armon Dadgar 5b6ce2ca4a consul: Setup ACLs and timers after initial barrier 2014-12-12 21:42:24 -08:00
Armon Dadgar f25566931f consul: Make sessionTimersLock a plain mutex 2014-12-12 19:17:35 -08:00
Armon Dadgar 9b897d1134 consul: Ignore zero ttl on session 2014-12-12 19:17:04 -08:00
Armon Dadgar 990ad02f83 consul: Minor cleanups 2014-12-12 15:43:34 -08:00
Armon Dadgar 8dbfe7c9a8 Merge pull request #524 from amalaviy/session_ttl
Consul Session TTLs
2014-12-12 14:42:25 -08:00
Atin Malaviya 073020f6be Add invalidateSession test 2014-12-11 06:09:53 -05:00
Atin Malaviya 5a76929ba4 Fixed clearSessionTimer, created invalidateSession, added invalid TTL test 2014-12-11 05:34:31 -05:00
Atin Malaviya 7ece29c3e0 Took out usage of snapshot SessionListTTL 2014-12-10 21:37:06 -05:00
Atin Malaviya 2de09dc2e7 Took out StateSnapshot SessionListTTL also 2014-12-10 20:53:05 -05:00
Atin Malaviya 8369b77204 Clean up code based on feedback from armon 2014-12-10 20:49:06 -05:00
Atin Malaviya a1afc07f54 Added more tests 2014-12-10 16:43:15 -05:00
Atin Malaviya c992c18ef0 Added more tests. Also added return of 404 if the session id to renew is not found 2014-12-10 10:02:23 -05:00
Atin Malaviya b623af776b Consul Session TTLs
The design of the session TTLs is based on the Google Chubby approach
(http://research.google.com/archive/chubby-osdi06.pdf). The Session
struct has an additional TTL field now. This attaches an implicit
heartbeat based failure detector. Tracking of heartbeats is done by
the current leader and not persisted via the Raft log. The implication
of this is during a leader failover, we do not retain the last
heartbeat times.

Similar to Chubby, the TTL represents a lower-bound. Consul promises
not to terminate a session before the TTL has expired, but is allowed
to extend the expiration past it. This enables us to reset the TTL on
a leader failover. The TTL is also extended when the client does a
heartbeat. Like Chubby, this means a TTL is extended on creation,
heartbeat or failover.

Additionally, because we must account for time requests are in transit
and the relative rates of clocks on the clients and servers, Consul
will take the conservative approach of internally multiplying the TTL
by 2x. This helps to compensate for network latency and clock skew
without violating the contract.

Reference: https://docs.google.com/document/d/1Y5-pahLkUaA7Kz4SBU_mehKiyt9yaaUGcBTMZR7lToY/edit?usp=sharing
2014-12-07 12:38:22 -05:00
Ali Abbas a542df954f cleanup and simplify 2014-12-06 13:08:35 +01:00
Ali Abbas 40979b1159 * use defer to avoid tracking lock
* simplify control flow
2014-12-06 12:32:18 +01:00
Chavez 5f4281f98f consul: Server leave test fix 2014-12-05 11:22:54 -08:00
Chavez c6b3cae106 consul: Fix failing globalRPC test 2014-12-05 10:36:37 -08:00
Veres Lajos 850d5bdc32 typofixes - https://github.com/vlajos/misspell_fixer 2014-12-04 23:25:06 +00:00
Armon Dadgar 402d580863 consul: Check that ACL also allows registration 2014-11-30 21:10:42 -07:00
Armon Dadgar d74f79b3fa consul: Enforce service registration ACLs 2014-11-30 21:05:15 -07:00
Ali Abbas 818fc22c9f * Fix race condition on read/write of shutdown bool variable of server and connection pool.
* In connection pool, there is no guarantee that .reap() cannot execute the same time as .Shutdown() is called. It also did not benefit to eval shutdown when a select is run on the shutdown channel.
* In server, same principle applies to handleConsulConn. Since we also have a shutdown channel, it makes more to use this than to loop on a bool variable.
2014-11-26 10:39:25 +01:00
Ali Abbas 73504a01e9 cleanup unreachable code 2014-11-25 19:54:30 +01:00
Atin Malaviya d7e09d57ba Set empty Behavior setting into SessionKeysRelease and flag error for unrecognized values 2014-11-20 19:16:07 -05:00
Atin Malaviya 3aabda02b3 Clean up tests, use switch to default session.Behavior value if unspecified, unrecognized 2014-11-20 14:29:18 -05:00
Atin Malaviya aa0cecd04e Ephemeral Nodes for via Session behavior settings.
Added a "delete" behavior for session invalidation, in addition to
the default "release" behavior. On session invalidation, the sessions
Behavior field is checked and if it is set to "delete", all nodes owned
by the session are deleted. If it is "release", then just the locks
are released as default.
2014-11-20 11:34:45 -05:00
Ryan Uber 4cd89a9113 Rebase against upstream 2014-11-19 16:45:49 -08:00
Ryan Uber 3b2ab70c4d consul: clean up comments, fix globalRPC tests 2014-11-19 16:37:40 -08:00
Ryan Uber 4a8249db00 consul: fix obscure bug when launching goroutines from for loop 2014-11-19 16:37:40 -08:00
Ryan Uber 2661bbfa27 consul: more tests, remove unused KeyManager() method 2014-11-19 16:37:40 -08:00
Ryan Uber fcacee723b consul: simplify keyring operations 2014-11-19 16:36:19 -08:00
Ryan Uber 66ad81ef13 consul: add test for internal keyring rpc endpoint 2014-11-19 16:36:19 -08:00
Ryan Uber 344b63b9db consul: simplify keyring operations 2014-11-19 16:36:19 -08:00
Ryan Uber b3f251de9c command/keyring: clean up tests 2014-11-19 16:36:18 -08:00
Ryan Uber d02afd42fb agent: -encrypt appends to keyring if one exists 2014-11-19 16:36:01 -08:00
Ryan Uber 295f876923 command/agent: fix up gossip encryption indicator 2014-11-19 16:35:37 -08:00
Ryan Uber 7f85c708dc agent: squash some more common keyring semantics 2014-11-19 16:34:18 -08:00
Ryan Uber 4e8f53fa5d consul: detach executeKeyringOp() from *Internal 2014-11-19 16:34:18 -08:00
Ryan Uber db0084ccd0 consul: use keyring operation type to cut out duplicated logic 2014-11-19 16:34:18 -08:00
Ryan Uber 057c22db10 consul: generalize multi-DC RPC call broadcasts 2014-11-19 16:34:18 -08:00
Ryan Uber 001a579d47 command/keyring: cleanup 2014-11-19 16:34:18 -08:00
Ryan Uber cb795199d1 consul: test rpc errors returned from remote datacenters 2014-11-19 16:34:18 -08:00
Ryan Uber a1943afddc consul: make forwarding to multiple datacenters parallel 2014-11-19 16:34:18 -08:00
Ryan Uber d7edc1c51c consul: break rpc forwarding and response ingestion out of internal endpoints 2014-11-19 16:34:18 -08:00
Ryan Uber 1ec111bbfc consul: kill unused struct fields 2014-11-19 16:34:17 -08:00
Ryan Uber f6b5fc8c08 consul: cross-dc key rotation works 2014-11-19 16:34:17 -08:00
Ryan Uber f9b5b15a6b consul: use a function for ingesting responses 2014-11-19 16:34:17 -08:00
Ryan Uber 71e9715c54 consul: restructuring 2014-11-19 16:34:17 -08:00
Ryan Uber a551a6e4a0 consul: refactor keyring, repeat RPC calls to all DC's 2014-11-19 16:34:17 -08:00
Ryan Uber 2e92e19760 agent: refactor keyring loader 2014-11-19 16:31:06 -08:00
Ryan Uber 43a60f1424 command: basic rpc works for keys command 2014-11-19 16:30:21 -08:00
Ryan Uber 96376212ff consul: use rpc layer only for key management functions, add rpc commands 2014-11-19 16:30:21 -08:00
Ryan Uber 8a4ed84711 consul: first pass at keyring integration 2014-11-19 16:30:20 -08:00
Armon Dadgar dd41c69389 Merge pull request #478 from amalaviy/https
Added HTTPS support via a new HTTPS Port configuration option
2014-11-19 11:17:10 -08:00
Armon Dadgar bd1e03428c consul: Increase maximum number of parallel readers 2014-11-18 18:46:43 -08:00
Atin Malaviya 2bd0e8c745 consul.Config() helper to generate the tlsutil.Config{} struct, 30 second keepalive, use keepalive for HTTP and HTTPS 2014-11-18 17:56:48 -05:00
Atin Malaviya b4424a1a50 Moved TLS Config stuff to tlsutil package 2014-11-18 11:03:36 -05:00
Armon Dadgar 0540605110 consul: Fixing key list index calculation 2014-11-12 17:55:45 -08:00
Emil Hessman 0222ed9eb9 Fix missing arguments 2014-11-01 22:56:48 +01:00
Armon Dadgar af90aa8026 Gofmt 2014-10-20 10:21:31 -07:00
Armon Dadgar 3f36515544 Switching to the pinned version of msgpack 2014-10-17 18:26:19 -07:00
Armon Dadgar 34713fe970 Encode/Decode test 2014-10-17 18:23:13 -07:00
Armon Dadgar b04dc46c72 consul: Improving test reliability 2014-10-17 17:40:14 -07:00
Armon Dadgar a1d2f9a3da Merge pull request #401 from hashicorp/f-healthcheck
Default services to "critical" state instead of "unknown"
2014-10-15 16:50:38 -07:00
Armon Dadgar e571d532b2 consul: Fixing FSM path tests 2014-10-15 15:03:58 -07:00
Armon Dadgar 0ea385579a consul: Ensure FSM stores data in the data dir 2014-10-15 14:57:59 -07:00
Armon Dadgar 5571da4661 consul: FSM stores state in a given path only 2014-10-15 14:56:12 -07:00
Armon Dadgar 0d1559764d consul: Allow providing a path for the state store 2014-10-15 14:55:04 -07:00
Ryan Uber cc0f80a4aa consul/structs: keep HealthUnknown around for backward compatibility 2014-10-15 11:35:22 -07:00
Armon Dadgar 88b53702f1 consul: Reduce mmap size on 32bit 2014-10-15 11:32:40 -07:00
Ryan Uber ec63686416 consul: kill remaining use of HealthUnknown 2014-10-15 10:14:46 -07:00
Armon Dadgar a8a5905d21 consul: less aggressive deadlock timer. Fixes #389 2014-10-14 12:00:25 -07:00
Armon Dadgar 5c46544e7e consul: Improve variable name 2014-10-14 11:04:43 -07:00
Armon Dadgar e33b6683aa consul: Reap left members ignoring state. Fixes #371 2014-10-14 11:02:26 -07:00
Armon Dadgar 8afbab60cb consul: Log why invalidation happened. Fixes #390 2014-10-14 10:54:57 -07:00
Armon Dadgar b6c5d77cf8 consul: Fixing graceful leave of current leader. Fixes #360. 2014-10-13 22:14:43 -07:00
Armon Dadgar e51f9da84b consul: Deprecate ACLForceSet 2014-10-09 12:28:07 -07:00
Armon Dadgar 1177a9bf11 consul: Fix non-deterministic ACL IDs 2014-10-09 12:23:32 -07:00
Armon Dadgar a80478594a consul: Fix non-deterministic session IDs 2014-10-09 11:54:47 -07:00
Armon Dadgar daa32dd6f8 consul: don't close a nil connection 2014-10-02 10:26:25 -07:00
Armon Dadgar 99d39db982 agent: First pass at multi-DC support 2014-08-28 15:00:49 -07:00
Armon Dadgar 9eddff083a consul: Testing user events 2014-08-26 19:26:55 -07:00
Armon Dadgar 1227e77f6d consul: Adding user event name tests 2014-08-26 19:20:02 -07:00
Armon Dadgar 3a1d686444 consul: Adding user event handler for callbacks 2014-08-26 19:04:07 -07:00
Armon Dadgar b1cf52db01 consul: expose UserEvent from Serf 2014-08-26 18:50:03 -07:00
Armon Dadgar ce98b0abbd consul: Deny delete anonymous or update of root policies 2014-08-22 14:55:09 -07:00
Armon Dadgar 597cd12e97 consul: Ensure node/service/check registration is in a single txn 2014-08-22 12:38:33 -07:00
Armon Dadgar 54ed1ec834 consul: fixing a unit test 2014-08-22 12:34:31 -07:00
Armon Dadgar a078e4d6f4 consul: Refactor txn handling in state store 2014-08-22 12:27:12 -07:00
Armon Dadgar 1f845c995a consul: Ensure authoritative cache is purged after update 2014-08-18 15:46:59 -07:00
Armon Dadgar 6492f06a3e consul: Provide ETag to avoid expensive policy fetch 2014-08-18 15:46:59 -07:00
Armon Dadgar 7473bd2fc9 consul: ACL enforcement for KV updates 2014-08-18 15:46:24 -07:00
Armon Dadgar ea015710e9 consul: ACL enforcement for key reads 2014-08-18 15:46:24 -07:00
Armon Dadgar 7299ef1a82 consul: Filter keys, refactor to interface 2014-08-18 15:46:24 -07:00
Armon Dadgar d38fd8eb1d consul: Helpers to filter on ACL rules 2014-08-18 15:46:24 -07:00
Armon Dadgar 17ee7f5057 consul: Starting token enforcement 2014-08-18 15:46:23 -07:00
Armon Dadgar 5561148c8e consul: Prevent resolution of root policy 2014-08-18 15:46:23 -07:00
Armon Dadgar 8c5bb94c74 consul: Resolve parent ACLs 2014-08-18 15:46:23 -07:00
Armon Dadgar 8153537e86 consul: Support management tokens 2014-08-18 15:46:23 -07:00
Armon Dadgar 9e16caa497 consul: Adding some metrics for ACL usage 2014-08-18 15:46:23 -07:00
Armon Dadgar 5da5df716d consul: Create anonymous and master tokens 2014-08-18 15:46:22 -07:00
Armon Dadgar bbde4beefd consul: Testing down policies and multi-DC 2014-08-18 15:46:22 -07:00
Armon Dadgar 846cc66e6d consul: Testing ACL resolution 2014-08-18 15:46:22 -07:00
Armon Dadgar 61b80e912c consul: Use Etag for policy caching 2014-08-18 15:46:22 -07:00
Armon Dadgar db8f896c58 consul: Support conditional policy fetch 2014-08-18 15:46:22 -07:00
Armon Dadgar edcd69019c consul: Verify compilation of rules 2014-08-18 15:46:22 -07:00
Armon Dadgar 9a4778b7d3 consul: Enable ACL lookup 2014-08-18 15:46:22 -07:00
Armon Dadgar bd124a8da3 consul: Pulling in ACLs 2014-08-18 15:46:21 -07:00
Armon Dadgar 6f7bf36ee9 agent: ACL endpoint tests 2014-08-18 15:46:21 -07:00
Armon Dadgar bdf9516f96 consul: ACL Endpoint tests 2014-08-18 15:46:21 -07:00
Armon Dadgar ea31f37dd6 consul: Adding ACL endpoint 2014-08-18 15:46:21 -07:00
Armon Dadgar b41e36868e consul: register the ACL queries 2014-08-18 15:46:21 -07:00
Armon Dadgar 8a3a0faacf consul: FSM support for ACLsg 2014-08-18 15:46:21 -07:00
Armon Dadgar 101d7da90a consul: Adding ACLs to the state store 2014-08-18 15:46:21 -07:00
Armon Dadgar da52fda65f consul: ACL structs 2014-08-18 15:46:21 -07:00
Armon Dadgar ca6a8aef55 agent: Adding ACL master token 2014-08-18 15:46:20 -07:00
Armon Dadgar ebae394863 consul: ACL setting passthrough 2014-08-18 15:46:20 -07:00
William Tisäter 90816cca98 Run go fmt 2014-07-24 01:09:55 +02:00
William Tisäter 78a69b61a3 Don't override ServiceTags 2014-07-23 23:42:22 +02:00
William Tisäter 31037338a3 Change order of fixtures 2014-07-23 23:42:22 +02:00
William Tisäter 9dc67edf7f Make service tag filter case-insensitive 2014-07-23 23:42:22 +02:00
William Tisäter 2727c158a6 Make service index case-insensitive 2014-07-23 23:42:22 +02:00
William Tisäter ff93acda28 Lowercase index key and lookup value if flag is set 2014-07-23 23:42:22 +02:00
William Tisäter f7263e8e7a Add case-insensitive flag to MDBIndex 2014-07-23 23:42:21 +02:00
William Tisäter 75e631ee94 Add helper for lowercase list of strings 2014-07-23 23:42:21 +02:00
Armon Dadgar bf26a9160f consul: Defer serf handler until initialized. Fixes #254. 2014-07-22 09:36:58 -04:00
Armon Dadgar 020802f7a5 Merge pull request #233 from nelhage/tls-no-subjname
Restore the 0.2 TLS verification behavior.
2014-07-01 13:41:00 -07:00
Nelson Elhage 627b2e455f Add some basic smoke tests for wrapTLSclient.
Check the success case, and check that we reject a self-signed
certificate.
2014-06-29 18:11:32 -07:00
Nelson Elhage 0a2476b20e Restore the 0.2 TLS verification behavior.
Namely, don't check the DNS names in TLS certificates when connecting to
other servers.

As of golang 1.3, crypto/tls no longer natively supports doing partial
verification (verifying the cert issuer but not the hostname), so we
have to disable verification entirely and then do the issuer
verification ourselves. Fortunately, crypto/x509 makes this relatively
straightforward.

If the "server_name" configuration option is passed, we preserve the
existing behavior of checking that server name everywhere.

No option is provided to retain the current behavior of checking the
remote certificate against the local node name, since that behavior
seems clearly buggy and unintentional, and I have difficulty imagining
it is actually being used anywhere. It would be relatively
straightforward to restore if desired, however.
2014-06-28 13:32:42 -07:00
Armon Dadgar 80b86c9ee9 Rename Expect to BootstrapExpect. Fixes #223. 2014-06-19 17:08:55 -07:00
Armon Dadgar 406d19f483 consul: Minor cleanups 2014-06-18 16:15:28 -07:00