package config import ( "encoding/base64" "encoding/json" "fmt" "io/ioutil" "net" "os" "path/filepath" "reflect" "regexp" "sort" "strings" "time" "github.com/hashicorp/consul/agent/consul" "github.com/hashicorp/consul/agent/structs" "github.com/hashicorp/consul/ipaddr" "github.com/hashicorp/consul/tlsutil" "github.com/hashicorp/consul/types" multierror "github.com/hashicorp/go-multierror" "github.com/hashicorp/go-sockaddr/template" "golang.org/x/time/rate" ) // Builder constructs a valid runtime configuration from multiple // configuration sources. // // To build the runtime configuration first call Build() which merges // the sources in a pre-defined order, converts the data types and // structures into their final form and performs the syntactic // validation. // // The sources are merged in the following order: // // * default configuration // * config files in alphabetical order // * command line arguments // // The config sources are merged sequentially and later values // overwrite previously set values. Slice values are merged by // concatenating the two slices. // // Then call Validate() to perform the semantic validation to ensure // that the configuration is ready to be used. // // Splitting the construction into two phases greatly simplifies testing // since not all pre-conditions have to be satisfied when performing // syntactical tests. type Builder struct { // Flags contains the parsed command line arguments. Flags Flags // Head, Sources, and Tail are used to manage the order of the // config sources, as described in the comments above. Head []Source Sources []Source Tail []Source // Warnings contains the warnings encountered when // parsing the configuration. Warnings []string // Hostname returns the hostname of the machine. If nil, os.Hostname // is called. Hostname func() (string, error) // GetPrivateIPv4 and GetPublicIPv6 return suitable default addresses // for cases when the user doesn't supply them. GetPrivateIPv4 func() ([]*net.IPAddr, error) GetPublicIPv6 func() ([]*net.IPAddr, error) // err contains the first error that occurred during // building the runtime configuration. err error } // NewBuilder returns a new configuration builder based on the given command // line flags. func NewBuilder(flags Flags) (*Builder, error) { newSource := func(name string, v interface{}) Source { b, err := json.MarshalIndent(v, "", " ") if err != nil { panic(err) } return Source{Name: name, Format: "json", Data: string(b)} } b := &Builder{ Flags: flags, Head: []Source{DefaultSource()}, } if b.boolVal(b.Flags.DevMode) { b.Head = append(b.Head, DevSource()) } // Since the merge logic is to overwrite all fields with later // values except slices which are merged by appending later values // we need to merge all slice values defined in flags before we // merge the config files since the flag values for slices are // otherwise appended instead of prepended. slices, values := b.splitSlicesAndValues(b.Flags.Config) b.Head = append(b.Head, newSource("flags.slices", slices)) for _, path := range b.Flags.ConfigFiles { if err := b.ReadPath(path); err != nil { return nil, err } } b.Tail = append(b.Tail, newSource("flags.values", values)) for i, s := range b.Flags.HCL { b.Tail = append(b.Tail, Source{ Name: fmt.Sprintf("flags.hcl.%d", i), Format: "hcl", Data: s, }) } b.Tail = append(b.Tail, NonUserSource(), DefaultConsulSource(), DefaultVersionSource()) if b.boolVal(b.Flags.DevMode) { b.Tail = append(b.Tail, DevConsulSource()) } return b, nil } // ReadPath reads a single config file or all files in a directory (but // not its sub-directories) and appends them to the list of config // sources. If path refers to a file then the format is assumed to be // JSON unless the file has a '.hcl' suffix. If path refers to a // directory then the format is determined by the suffix and only files // with a '.json' or '.hcl' suffix are processed. func (b *Builder) ReadPath(path string) error { f, err := os.Open(path) if err != nil { return fmt.Errorf("config: Open failed on %s. %s", path, err) } defer f.Close() fi, err := f.Stat() if err != nil { return fmt.Errorf("config: Stat failed on %s. %s", path, err) } if !fi.IsDir() { return b.ReadFile(path) } fis, err := f.Readdir(-1) if err != nil { return fmt.Errorf("config: Readdir failed on %s. %s", path, err) } // sort files by name sort.Sort(byName(fis)) for _, fi := range fis { // do not recurse into sub dirs if fi.IsDir() { continue } // skip files without json or hcl extension if !strings.HasSuffix(fi.Name(), ".json") && !strings.HasSuffix(fi.Name(), ".hcl") { continue } if err := b.ReadFile(filepath.Join(path, fi.Name())); err != nil { return err } } return nil } // ReadFile parses a JSON or HCL config file and appends it to the list of // config sources. func (b *Builder) ReadFile(path string) error { if !strings.HasSuffix(path, ".json") && !strings.HasSuffix(path, ".hcl") { return fmt.Errorf(`Missing or invalid file extension for %q. Please use ".json" or ".hcl".`, path) } data, err := ioutil.ReadFile(path) if err != nil { return fmt.Errorf("config: ReadFile failed on %s: %s", path, err) } b.Sources = append(b.Sources, NewSource(path, string(data))) return nil } type byName []os.FileInfo func (a byName) Len() int { return len(a) } func (a byName) Swap(i, j int) { a[i], a[j] = a[j], a[i] } func (a byName) Less(i, j int) bool { return a[i].Name() < a[j].Name() } func (b *Builder) BuildAndValidate() (RuntimeConfig, error) { rt, err := b.Build() if err != nil { return RuntimeConfig{}, err } if err := b.Validate(rt); err != nil { return RuntimeConfig{}, err } return rt, nil } // Build constructs the runtime configuration from the config sources // and the command line flags. The config sources are processed in the // order they were added with the flags being processed last to give // precedence over the other sources. If the error is nil then // warnings can still contain deprecation or format warnings that should // be presented to the user. func (b *Builder) Build() (rt RuntimeConfig, err error) { b.err = nil b.Warnings = nil // ---------------------------------------------------------------- // merge config sources as follows // // build the list of config sources var srcs []Source srcs = append(srcs, b.Head...) srcs = append(srcs, b.Sources...) srcs = append(srcs, b.Tail...) // parse the config sources into a configuration var c Config for _, s := range srcs { if s.Name == "" || s.Data == "" { continue } c2, err := Parse(s.Data, s.Format) if err != nil { return RuntimeConfig{}, fmt.Errorf("Error parsing %s: %s", s.Name, err) } // if we have a single 'check' or 'service' we need to add them to the // list of checks and services first since we cannot merge them // generically and later values would clobber earlier ones. if c2.Check != nil { c2.Checks = append(c2.Checks, *c2.Check) c2.Check = nil } if c2.Service != nil { c2.Services = append(c2.Services, *c2.Service) c2.Service = nil } c = Merge(c, c2) } // ---------------------------------------------------------------- // process/merge some complex values // var dnsServiceTTL = map[string]time.Duration{} for k, v := range c.DNS.ServiceTTL { dnsServiceTTL[k] = b.durationVal(fmt.Sprintf("dns_config.service_ttl[%q]", k), &v) } leaveOnTerm := !b.boolVal(c.ServerMode) if c.LeaveOnTerm != nil { leaveOnTerm = b.boolVal(c.LeaveOnTerm) } skipLeaveOnInt := b.boolVal(c.ServerMode) if c.SkipLeaveOnInt != nil { skipLeaveOnInt = b.boolVal(c.SkipLeaveOnInt) } // ---------------------------------------------------------------- // checks and services // var checks []*structs.CheckDefinition if c.Check != nil { checks = append(checks, b.checkVal(c.Check)) } for _, check := range c.Checks { checks = append(checks, b.checkVal(&check)) } var services []*structs.ServiceDefinition for _, service := range c.Services { services = append(services, b.serviceVal(&service)) } if c.Service != nil { services = append(services, b.serviceVal(c.Service)) } // ---------------------------------------------------------------- // addresses // // determine port values and replace values <= 0 and > 65535 with -1 dnsPort := b.portVal("ports.dns", c.Ports.DNS) httpPort := b.portVal("ports.http", c.Ports.HTTP) httpsPort := b.portVal("ports.https", c.Ports.HTTPS) serverPort := b.portVal("ports.server", c.Ports.Server) serfPortLAN := b.portVal("ports.serf_lan", c.Ports.SerfLAN) serfPortWAN := b.portVal("ports.serf_wan", c.Ports.SerfWAN) // determine the default bind and advertise address // // First check whether the user provided an ANY address or whether // the expanded template results in an ANY address. In that case we // derive an advertise address from the current network // configuration since we can listen on an ANY address for incoming // traffic but cannot advertise it as the address on which the // server can be reached. bindAddrs := b.expandAddrs("bind_addr", c.BindAddr) if len(bindAddrs) == 0 { return RuntimeConfig{}, fmt.Errorf("bind_addr cannot be empty") } if len(bindAddrs) > 1 { return RuntimeConfig{}, fmt.Errorf("bind_addr cannot contain multiple addresses. Use 'addresses.{dns,http,https}' instead.") } if isUnixAddr(bindAddrs[0]) { return RuntimeConfig{}, fmt.Errorf("bind_addr cannot be a unix socket") } if !isIPAddr(bindAddrs[0]) { return RuntimeConfig{}, fmt.Errorf("bind_addr must be an ip address") } if ipaddr.IsAny(b.stringVal(c.AdvertiseAddrLAN)) { return RuntimeConfig{}, fmt.Errorf("Advertise address cannot be 0.0.0.0, :: or [::]") } if ipaddr.IsAny(b.stringVal(c.AdvertiseAddrWAN)) { return RuntimeConfig{}, fmt.Errorf("Advertise WAN address cannot be 0.0.0.0, :: or [::]") } bindAddr := bindAddrs[0].(*net.IPAddr) advertiseAddr := b.makeIPAddr(b.expandFirstIP("advertise_addr", c.AdvertiseAddrLAN), bindAddr) if ipaddr.IsAny(advertiseAddr) { var addrtyp string var detect func() ([]*net.IPAddr, error) switch { case ipaddr.IsAnyV4(advertiseAddr): addrtyp = "private IPv4" detect = b.GetPrivateIPv4 if detect == nil { detect = ipaddr.GetPrivateIPv4 } case ipaddr.IsAnyV6(advertiseAddr): addrtyp = "public IPv6" detect = b.GetPublicIPv6 if detect == nil { detect = ipaddr.GetPublicIPv6 } } advertiseAddrs, err := detect() if err != nil { return RuntimeConfig{}, fmt.Errorf("Error detecting %s address: %s", addrtyp, err) } if len(advertiseAddrs) == 0 { return RuntimeConfig{}, fmt.Errorf("No %s address found", addrtyp) } if len(advertiseAddrs) > 1 { return RuntimeConfig{}, fmt.Errorf("Multiple %s addresses found. Please configure one", addrtyp) } advertiseAddr = advertiseAddrs[0] } // derive other bind addresses from the bindAddr rpcBindAddr := b.makeTCPAddr(bindAddr, nil, serverPort) serfBindAddrLAN := b.makeTCPAddr(b.expandFirstIP("serf_lan", c.SerfBindAddrLAN), bindAddr, serfPortLAN) serfBindAddrWAN := b.makeTCPAddr(b.expandFirstIP("serf_wan", c.SerfBindAddrWAN), bindAddr, serfPortWAN) // derive other advertise addresses from the advertise address advertiseAddrLAN := b.makeIPAddr(b.expandFirstIP("advertise_addr", c.AdvertiseAddrLAN), advertiseAddr) advertiseAddrWAN := b.makeIPAddr(b.expandFirstIP("advertise_addr_wan", c.AdvertiseAddrWAN), advertiseAddrLAN) rpcAdvertiseAddr := &net.TCPAddr{IP: advertiseAddrLAN.IP, Port: serverPort} serfAdvertiseAddrLAN := &net.TCPAddr{IP: advertiseAddrLAN.IP, Port: serfPortLAN} serfAdvertiseAddrWAN := &net.TCPAddr{IP: advertiseAddrWAN.IP, Port: serfPortWAN} // determine client addresses clientAddrs := b.expandIPs("client_addr", c.ClientAddr) dnsAddrs := b.makeAddrs(b.expandAddrs("addresses.dns", c.Addresses.DNS), clientAddrs, dnsPort) httpAddrs := b.makeAddrs(b.expandAddrs("addresses.http", c.Addresses.HTTP), clientAddrs, httpPort) httpsAddrs := b.makeAddrs(b.expandAddrs("addresses.https", c.Addresses.HTTPS), clientAddrs, httpsPort) for _, a := range dnsAddrs { if x, ok := a.(*net.TCPAddr); ok { dnsAddrs = append(dnsAddrs, &net.UDPAddr{IP: x.IP, Port: x.Port}) } } // expand dns recursors uniq := map[string]bool{} dnsRecursors := []string{} for _, r := range c.DNSRecursors { x, err := template.Parse(r) if err != nil { return RuntimeConfig{}, fmt.Errorf("Invalid DNS recursor template %q: %s", r, err) } for _, addr := range strings.Fields(x) { if strings.HasPrefix(addr, "unix://") { return RuntimeConfig{}, fmt.Errorf("DNS Recursors cannot be unix sockets: %s", addr) } if uniq[addr] { continue } uniq[addr] = true dnsRecursors = append(dnsRecursors, addr) } } // Create the default set of tagged addresses. if c.TaggedAddresses == nil { c.TaggedAddresses = make(map[string]string) } c.TaggedAddresses["lan"] = advertiseAddrLAN.IP.String() c.TaggedAddresses["wan"] = advertiseAddrWAN.IP.String() // segments var segments []structs.NetworkSegment for _, s := range c.Segments { name := b.stringVal(s.Name) port := b.portVal(fmt.Sprintf("segments[%s].port", name), s.Port) if port <= 0 { return RuntimeConfig{}, fmt.Errorf("Port for segment %q cannot be <= 0", name) } bind := b.makeTCPAddr( b.expandFirstIP(fmt.Sprintf("segments[%s].bind", name), s.Bind), bindAddr, port, ) advertise := b.makeTCPAddr( b.expandFirstIP(fmt.Sprintf("segments[%s].advertise", name), s.Advertise), advertiseAddrLAN, port, ) segments = append(segments, structs.NetworkSegment{ Name: name, Bind: bind, Advertise: advertise, RPCListener: b.boolVal(s.RPCListener), }) } // Parse the metric filters var telemetryAllowedPrefixes, telemetryBlockedPrefixes []string for _, rule := range c.Telemetry.PrefixFilter { if rule == "" { b.warn("Cannot have empty filter rule in prefix_filter") continue } switch rule[0] { case '+': telemetryAllowedPrefixes = append(telemetryAllowedPrefixes, rule[1:]) case '-': telemetryBlockedPrefixes = append(telemetryBlockedPrefixes, rule[1:]) default: b.warn("Filter rule must begin with either '+' or '-': %q", rule) } } // Add a filter rule if needed for enabling the deprecated metric names enableDeprecatedNames := b.boolVal(c.Telemetry.EnableDeprecatedNames) if enableDeprecatedNames { telemetryAllowedPrefixes = append(telemetryAllowedPrefixes, "consul.consul") } else { telemetryBlockedPrefixes = append(telemetryBlockedPrefixes, "consul.consul") } // raft performance scaling performanceRaftMultiplier := b.intVal(c.Performance.RaftMultiplier) if performanceRaftMultiplier < 1 || uint(performanceRaftMultiplier) > consul.MaxRaftMultiplier { return RuntimeConfig{}, fmt.Errorf("performance.raft_multiplier cannot be %d. Must be between 1 and %d", performanceRaftMultiplier, consul.MaxRaftMultiplier) } consulRaftElectionTimeout := b.durationVal("consul.raft.election_timeout", c.Consul.Raft.ElectionTimeout) * time.Duration(performanceRaftMultiplier) consulRaftHeartbeatTimeout := b.durationVal("consul.raft.heartbeat_timeout", c.Consul.Raft.HeartbeatTimeout) * time.Duration(performanceRaftMultiplier) consulRaftLeaderLeaseTimeout := b.durationVal("consul.raft.leader_lease_timeout", c.Consul.Raft.LeaderLeaseTimeout) * time.Duration(performanceRaftMultiplier) // ---------------------------------------------------------------- // build runtime config // rt = RuntimeConfig{ // non-user configurable values ACLDisabledTTL: b.durationVal("acl_disabled_ttl", c.ACLDisabledTTL), AEInterval: b.durationVal("ae_interval", c.AEInterval), CheckDeregisterIntervalMin: b.durationVal("check_deregister_interval_min", c.CheckDeregisterIntervalMin), CheckReapInterval: b.durationVal("check_reap_interval", c.CheckReapInterval), Revision: b.stringVal(c.Revision), SegmentLimit: b.intVal(c.SegmentLimit), SegmentNameLimit: b.intVal(c.SegmentNameLimit), SyncCoordinateIntervalMin: b.durationVal("sync_coordinate_interval_min", c.SyncCoordinateIntervalMin), SyncCoordinateRateTarget: b.float64Val(c.SyncCoordinateRateTarget), Version: b.stringVal(c.Version), VersionPrerelease: b.stringVal(c.VersionPrerelease), // consul configuration ConsulCoordinateUpdateBatchSize: b.intVal(c.Consul.Coordinate.UpdateBatchSize), ConsulCoordinateUpdateMaxBatches: b.intVal(c.Consul.Coordinate.UpdateMaxBatches), ConsulCoordinateUpdatePeriod: b.durationVal("consul.coordinate.update_period", c.Consul.Coordinate.UpdatePeriod), ConsulRaftElectionTimeout: consulRaftElectionTimeout, ConsulRaftHeartbeatTimeout: consulRaftHeartbeatTimeout, ConsulRaftLeaderLeaseTimeout: consulRaftLeaderLeaseTimeout, ConsulSerfLANGossipInterval: b.durationVal("consul.serf_lan.gossip_interval", c.Consul.SerfLAN.Memberlist.GossipInterval), ConsulSerfLANProbeInterval: b.durationVal("consul.serf_lan.probe_interval", c.Consul.SerfLAN.Memberlist.ProbeInterval), ConsulSerfLANProbeTimeout: b.durationVal("consul.serf_lan.probe_timeout", c.Consul.SerfLAN.Memberlist.ProbeTimeout), ConsulSerfLANSuspicionMult: b.intVal(c.Consul.SerfLAN.Memberlist.SuspicionMult), ConsulSerfWANGossipInterval: b.durationVal("consul.serf_wan.gossip_interval", c.Consul.SerfWAN.Memberlist.GossipInterval), ConsulSerfWANProbeInterval: b.durationVal("consul.serf_wan.probe_interval", c.Consul.SerfWAN.Memberlist.ProbeInterval), ConsulSerfWANProbeTimeout: b.durationVal("consul.serf_wan.probe_timeout", c.Consul.SerfWAN.Memberlist.ProbeTimeout), ConsulSerfWANSuspicionMult: b.intVal(c.Consul.SerfWAN.Memberlist.SuspicionMult), ConsulServerHealthInterval: b.durationVal("consul.server.health_interval", c.Consul.Server.HealthInterval), // ACL ACLAgentMasterToken: b.stringVal(c.ACLAgentMasterToken), ACLAgentToken: b.stringVal(c.ACLAgentToken), ACLDatacenter: strings.ToLower(b.stringVal(c.ACLDatacenter)), ACLDefaultPolicy: b.stringVal(c.ACLDefaultPolicy), ACLDownPolicy: b.stringVal(c.ACLDownPolicy), ACLEnforceVersion8: b.boolVal(c.ACLEnforceVersion8), ACLEnableKeyListPolicy: b.boolVal(c.ACLEnableKeyListPolicy), ACLMasterToken: b.stringVal(c.ACLMasterToken), ACLReplicationToken: b.stringVal(c.ACLReplicationToken), ACLTTL: b.durationVal("acl_ttl", c.ACLTTL), ACLToken: b.stringVal(c.ACLToken), EnableACLReplication: b.boolVal(c.EnableACLReplication), // Autopilot AutopilotCleanupDeadServers: b.boolVal(c.Autopilot.CleanupDeadServers), AutopilotDisableUpgradeMigration: b.boolVal(c.Autopilot.DisableUpgradeMigration), AutopilotLastContactThreshold: b.durationVal("autopilot.last_contact_threshold", c.Autopilot.LastContactThreshold), AutopilotMaxTrailingLogs: b.intVal(c.Autopilot.MaxTrailingLogs), AutopilotRedundancyZoneTag: b.stringVal(c.Autopilot.RedundancyZoneTag), AutopilotServerStabilizationTime: b.durationVal("autopilot.server_stabilization_time", c.Autopilot.ServerStabilizationTime), AutopilotUpgradeVersionTag: b.stringVal(c.Autopilot.UpgradeVersionTag), // DNS DNSAddrs: dnsAddrs, DNSAllowStale: b.boolVal(c.DNS.AllowStale), DNSDisableCompression: b.boolVal(c.DNS.DisableCompression), DNSDomain: b.stringVal(c.DNSDomain), DNSEnableTruncate: b.boolVal(c.DNS.EnableTruncate), DNSMaxStale: b.durationVal("dns_config.max_stale", c.DNS.MaxStale), DNSNodeTTL: b.durationVal("dns_config.node_ttl", c.DNS.NodeTTL), DNSOnlyPassing: b.boolVal(c.DNS.OnlyPassing), DNSPort: dnsPort, DNSRecursorTimeout: b.durationVal("recursor_timeout", c.DNS.RecursorTimeout), DNSRecursors: dnsRecursors, DNSServiceTTL: dnsServiceTTL, DNSUDPAnswerLimit: b.intVal(c.DNS.UDPAnswerLimit), // HTTP HTTPPort: httpPort, HTTPSPort: httpsPort, HTTPAddrs: httpAddrs, HTTPSAddrs: httpsAddrs, HTTPBlockEndpoints: c.HTTPConfig.BlockEndpoints, HTTPResponseHeaders: c.HTTPConfig.ResponseHeaders, // Telemetry TelemetryCirconusAPIApp: b.stringVal(c.Telemetry.CirconusAPIApp), TelemetryCirconusAPIToken: b.stringVal(c.Telemetry.CirconusAPIToken), TelemetryCirconusAPIURL: b.stringVal(c.Telemetry.CirconusAPIURL), TelemetryCirconusBrokerID: b.stringVal(c.Telemetry.CirconusBrokerID), TelemetryCirconusBrokerSelectTag: b.stringVal(c.Telemetry.CirconusBrokerSelectTag), TelemetryCirconusCheckDisplayName: b.stringVal(c.Telemetry.CirconusCheckDisplayName), TelemetryCirconusCheckForceMetricActivation: b.stringVal(c.Telemetry.CirconusCheckForceMetricActivation), TelemetryCirconusCheckID: b.stringVal(c.Telemetry.CirconusCheckID), TelemetryCirconusCheckInstanceID: b.stringVal(c.Telemetry.CirconusCheckInstanceID), TelemetryCirconusCheckSearchTag: b.stringVal(c.Telemetry.CirconusCheckSearchTag), TelemetryCirconusCheckTags: b.stringVal(c.Telemetry.CirconusCheckTags), TelemetryCirconusSubmissionInterval: b.stringVal(c.Telemetry.CirconusSubmissionInterval), TelemetryCirconusSubmissionURL: b.stringVal(c.Telemetry.CirconusSubmissionURL), TelemetryDisableHostname: b.boolVal(c.Telemetry.DisableHostname), TelemetryDogstatsdAddr: b.stringVal(c.Telemetry.DogstatsdAddr), TelemetryDogstatsdTags: c.Telemetry.DogstatsdTags, TelemetryFilterDefault: b.boolVal(c.Telemetry.FilterDefault), TelemetryAllowedPrefixes: telemetryAllowedPrefixes, TelemetryBlockedPrefixes: telemetryBlockedPrefixes, TelemetryMetricsPrefix: b.stringVal(c.Telemetry.MetricsPrefix), TelemetryStatsdAddr: b.stringVal(c.Telemetry.StatsdAddr), TelemetryStatsiteAddr: b.stringVal(c.Telemetry.StatsiteAddr), // Agent AdvertiseAddrLAN: advertiseAddrLAN, AdvertiseAddrWAN: advertiseAddrWAN, BindAddr: bindAddr, Bootstrap: b.boolVal(c.Bootstrap), BootstrapExpect: b.intVal(c.BootstrapExpect), CAFile: b.stringVal(c.CAFile), CAPath: b.stringVal(c.CAPath), CertFile: b.stringVal(c.CertFile), CheckUpdateInterval: b.durationVal("check_update_interval", c.CheckUpdateInterval), Checks: checks, ClientAddrs: clientAddrs, DataDir: b.stringVal(c.DataDir), Datacenter: strings.ToLower(b.stringVal(c.Datacenter)), DevMode: b.boolVal(b.Flags.DevMode), DisableAnonymousSignature: b.boolVal(c.DisableAnonymousSignature), DisableCoordinates: b.boolVal(c.DisableCoordinates), DisableHostNodeID: b.boolVal(c.DisableHostNodeID), DisableKeyringFile: b.boolVal(c.DisableKeyringFile), DisableRemoteExec: b.boolVal(c.DisableRemoteExec), DisableUpdateCheck: b.boolVal(c.DisableUpdateCheck), DiscardCheckOutput: b.boolVal(c.DiscardCheckOutput), EnableDebug: b.boolVal(c.EnableDebug), EnableScriptChecks: b.boolVal(c.EnableScriptChecks), EnableSyslog: b.boolVal(c.EnableSyslog), EnableUI: b.boolVal(c.UI), EncryptKey: b.stringVal(c.EncryptKey), EncryptVerifyIncoming: b.boolVal(c.EncryptVerifyIncoming), EncryptVerifyOutgoing: b.boolVal(c.EncryptVerifyOutgoing), KeyFile: b.stringVal(c.KeyFile), LeaveDrainTime: b.durationVal("performance.leave_drain_time", c.Performance.LeaveDrainTime), LeaveOnTerm: leaveOnTerm, LogLevel: b.stringVal(c.LogLevel), NodeID: types.NodeID(b.stringVal(c.NodeID)), NodeMeta: c.NodeMeta, NodeName: b.nodeName(c.NodeName), NonVotingServer: b.boolVal(c.NonVotingServer), PidFile: b.stringVal(c.PidFile), RPCAdvertiseAddr: rpcAdvertiseAddr, RPCBindAddr: rpcBindAddr, RPCHoldTimeout: b.durationVal("performance.rpc_hold_timeout", c.Performance.RPCHoldTimeout), RPCMaxBurst: b.intVal(c.Limits.RPCMaxBurst), RPCProtocol: b.intVal(c.RPCProtocol), RPCRateLimit: rate.Limit(b.float64Val(c.Limits.RPCRate)), RaftProtocol: b.intVal(c.RaftProtocol), ReconnectTimeoutLAN: b.durationVal("reconnect_timeout", c.ReconnectTimeoutLAN), ReconnectTimeoutWAN: b.durationVal("reconnect_timeout_wan", c.ReconnectTimeoutWAN), RejoinAfterLeave: b.boolVal(c.RejoinAfterLeave), RetryJoinIntervalLAN: b.durationVal("retry_interval", c.RetryJoinIntervalLAN), RetryJoinIntervalWAN: b.durationVal("retry_interval_wan", c.RetryJoinIntervalWAN), RetryJoinLAN: c.RetryJoinLAN, RetryJoinMaxAttemptsLAN: b.intVal(c.RetryJoinMaxAttemptsLAN), RetryJoinMaxAttemptsWAN: b.intVal(c.RetryJoinMaxAttemptsWAN), RetryJoinWAN: c.RetryJoinWAN, SegmentName: b.stringVal(c.SegmentName), Segments: segments, SerfAdvertiseAddrLAN: serfAdvertiseAddrLAN, SerfAdvertiseAddrWAN: serfAdvertiseAddrWAN, SerfBindAddrLAN: serfBindAddrLAN, SerfBindAddrWAN: serfBindAddrWAN, SerfPortLAN: serfPortLAN, SerfPortWAN: serfPortWAN, ServerMode: b.boolVal(c.ServerMode), ServerName: b.stringVal(c.ServerName), ServerPort: serverPort, Services: services, SessionTTLMin: b.durationVal("session_ttl_min", c.SessionTTLMin), SkipLeaveOnInt: skipLeaveOnInt, StartJoinAddrsLAN: c.StartJoinAddrsLAN, StartJoinAddrsWAN: c.StartJoinAddrsWAN, SyslogFacility: b.stringVal(c.SyslogFacility), TLSCipherSuites: b.tlsCipherSuites("tls_cipher_suites", c.TLSCipherSuites), TLSMinVersion: b.stringVal(c.TLSMinVersion), TLSPreferServerCipherSuites: b.boolVal(c.TLSPreferServerCipherSuites), TaggedAddresses: c.TaggedAddresses, TranslateWANAddrs: b.boolVal(c.TranslateWANAddrs), UIDir: b.stringVal(c.UIDir), UnixSocketGroup: b.stringVal(c.UnixSocket.Group), UnixSocketMode: b.stringVal(c.UnixSocket.Mode), UnixSocketUser: b.stringVal(c.UnixSocket.User), VerifyIncoming: b.boolVal(c.VerifyIncoming), VerifyIncomingHTTPS: b.boolVal(c.VerifyIncomingHTTPS), VerifyIncomingRPC: b.boolVal(c.VerifyIncomingRPC), VerifyOutgoing: b.boolVal(c.VerifyOutgoing), VerifyServerHostname: b.boolVal(c.VerifyServerHostname), Watches: c.Watches, } if rt.BootstrapExpect == 1 { rt.Bootstrap = true rt.BootstrapExpect = 0 b.warn(`BootstrapExpect is set to 1; this is the same as Bootstrap mode.`) } if rt.ACLReplicationToken != "" { rt.EnableACLReplication = true } return rt, nil } // Validate performs semantical validation of the runtime configuration. func (b *Builder) Validate(rt RuntimeConfig) error { // reDatacenter defines a regexp for a valid datacenter name var reDatacenter = regexp.MustCompile("^[a-z0-9_-]+$") // ---------------------------------------------------------------- // check required params we cannot recover from first // if rt.Datacenter == "" { return fmt.Errorf("datacenter cannot be empty") } if !reDatacenter.MatchString(rt.Datacenter) { return fmt.Errorf("datacenter cannot be %q. Please use only [a-z0-9-_].", rt.Datacenter) } if rt.DataDir == "" && !rt.DevMode { return fmt.Errorf("data_dir cannot be empty") } if !rt.DevMode { fi, err := os.Stat(rt.DataDir) switch { case err != nil && !os.IsNotExist(err): return fmt.Errorf("Error getting info on data_dir: %s", err) case err == nil && !fi.IsDir(): return fmt.Errorf("data_dir %q is not a directory", rt.DataDir) } } if rt.NodeName == "" { return fmt.Errorf("node_name cannot be empty") } if ipaddr.IsAny(rt.AdvertiseAddrLAN.IP) { return fmt.Errorf("Advertise address cannot be 0.0.0.0, :: or [::]") } if ipaddr.IsAny(rt.AdvertiseAddrWAN.IP) { return fmt.Errorf("Advertise WAN address cannot be 0.0.0.0, :: or [::]") } if err := b.validateSegments(rt); err != nil { return err } for _, a := range rt.DNSAddrs { if _, ok := a.(*net.UnixAddr); ok { return fmt.Errorf("DNS address cannot be a unix socket") } } if rt.Bootstrap && !rt.ServerMode { return fmt.Errorf("'bootstrap = true' requires 'server = true'") } if rt.BootstrapExpect < 0 { return fmt.Errorf("bootstrap_expect cannot be %d. Must be greater than or equal to zero", rt.BootstrapExpect) } if rt.BootstrapExpect > 0 && !rt.ServerMode { return fmt.Errorf("'bootstrap_expect > 0' requires 'server = true'") } if rt.BootstrapExpect > 0 && rt.DevMode { return fmt.Errorf("'bootstrap_expect > 0' not allowed in dev mode") } if rt.BootstrapExpect > 0 && rt.Bootstrap { return fmt.Errorf("'bootstrap_expect > 0' and 'bootstrap = true' are mutually exclusive") } if rt.AEInterval <= 0 { return fmt.Errorf("ae_interval cannot be %s. Must be positive", rt.AEInterval) } if rt.AutopilotMaxTrailingLogs < 0 { return fmt.Errorf("autopilot.max_trailing_logs cannot be %d. Must be greater than or equal to zero", rt.AutopilotMaxTrailingLogs) } if rt.ACLDatacenter != "" && !reDatacenter.MatchString(rt.ACLDatacenter) { return fmt.Errorf("acl_datacenter cannot be %q. Please use only [a-z0-9-_].", rt.ACLDatacenter) } if rt.EnableUI && rt.UIDir != "" { return fmt.Errorf( "Both the ui and ui-dir flags were specified, please provide only one.\n" + "If trying to use your own web UI resources, use the ui-dir flag.\n" + "If using Consul version 0.7.0 or later, the web UI is included in the binary so use ui to enable it") } if rt.DNSUDPAnswerLimit < 0 { return fmt.Errorf("dns_config.udp_answer_limit cannot be %d. Must be greater than or equal to zero", rt.DNSUDPAnswerLimit) } if err := structs.ValidateMetadata(rt.NodeMeta, false); err != nil { return fmt.Errorf("node_meta invalid: %v", err) } if rt.EncryptKey != "" { if _, err := decodeBytes(rt.EncryptKey); err != nil { return fmt.Errorf("encrypt has invalid key: %s", err) } keyfileLAN := filepath.Join(rt.DataDir, SerfLANKeyring) if _, err := os.Stat(keyfileLAN); err == nil { b.warn("WARNING: LAN keyring exists but -encrypt given, using keyring") } if rt.ServerMode { keyfileWAN := filepath.Join(rt.DataDir, SerfWANKeyring) if _, err := os.Stat(keyfileWAN); err == nil { b.warn("WARNING: WAN keyring exists but -encrypt given, using keyring") } } } // Check the data dir for signs of an un-migrated Consul 0.5.x or older // server. Consul refuses to start if this is present to protect a server // with existing data from starting on a fresh data set. if rt.ServerMode { mdbPath := filepath.Join(rt.DataDir, "mdb") if _, err := os.Stat(mdbPath); !os.IsNotExist(err) { if os.IsPermission(err) { return fmt.Errorf( "CRITICAL: Permission denied for data folder at %q!\n"+ "Consul will refuse to boot without access to this directory.\n"+ "Please correct permissions and try starting again.", mdbPath) } return fmt.Errorf("CRITICAL: Deprecated data folder found at %q!\n"+ "Consul will refuse to boot with this directory present.\n"+ "See https://www.consul.io/docs/upgrade-specific.html for more information.", mdbPath) } } inuse := map[string]string{} if err := addrsUnique(inuse, "DNS", rt.DNSAddrs); err != nil { // cannot happen since this is the first address // we leave this for consistency return err } if err := addrsUnique(inuse, "HTTP", rt.HTTPAddrs); err != nil { return err } if err := addrsUnique(inuse, "HTTPS", rt.HTTPSAddrs); err != nil { return err } if err := addrUnique(inuse, "RPC Advertise", rt.RPCAdvertiseAddr); err != nil { return err } if err := addrUnique(inuse, "Serf Advertise LAN", rt.SerfAdvertiseAddrLAN); err != nil { return err } if err := addrUnique(inuse, "Serf Advertise WAN", rt.SerfAdvertiseAddrWAN); err != nil { return err } if b.err != nil { return b.err } // ---------------------------------------------------------------- // warnings // if rt.ServerMode && !rt.DevMode && !rt.Bootstrap && rt.BootstrapExpect == 2 { b.warn(`bootstrap_expect = 2: A cluster with 2 servers will provide no failure tolerance. See https://www.consul.io/docs/internals/consensus.html#deployment-table`) } if rt.ServerMode && !rt.Bootstrap && rt.BootstrapExpect > 2 && rt.BootstrapExpect%2 == 0 { b.warn(`bootstrap_expect is even number: A cluster with an even number of servers does not achieve optimum fault tolerance. See https://www.consul.io/docs/internals/consensus.html#deployment-table`) } if rt.ServerMode && rt.Bootstrap && rt.BootstrapExpect == 0 { b.warn(`bootstrap = true: do not enable unless necessary`) } if rt.ServerMode && !rt.DevMode && !rt.Bootstrap && rt.BootstrapExpect > 1 { b.warn("bootstrap_expect > 0: expecting %d servers", rt.BootstrapExpect) } return nil } // addrUnique checks if the given address is already in use for another // protocol. func addrUnique(inuse map[string]string, name string, addr net.Addr) error { key := addr.Network() + ":" + addr.String() if other, ok := inuse[key]; ok { return fmt.Errorf("%s address %s already configured for %s", name, addr.String(), other) } inuse[key] = name return nil } // addrsUnique checks if any of the give addresses is already in use for // another protocol. func addrsUnique(inuse map[string]string, name string, addrs []net.Addr) error { for _, a := range addrs { if err := addrUnique(inuse, name, a); err != nil { return err } } return nil } // splitSlicesAndValues moves all slice values defined in c to 'slices' // and all other values to 'values'. func (b *Builder) splitSlicesAndValues(c Config) (slices, values Config) { v, t := reflect.ValueOf(c), reflect.TypeOf(c) rs, rv := reflect.New(t), reflect.New(t) for i := 0; i < t.NumField(); i++ { f := t.Field(i) if f.Type.Kind() == reflect.Slice { rs.Elem().Field(i).Set(v.Field(i)) } else { rv.Elem().Field(i).Set(v.Field(i)) } } return rs.Elem().Interface().(Config), rv.Elem().Interface().(Config) } func (b *Builder) warn(msg string, args ...interface{}) { b.Warnings = append(b.Warnings, fmt.Sprintf(msg, args...)) } func (b *Builder) checkVal(v *CheckDefinition) *structs.CheckDefinition { if v == nil { return nil } id := types.CheckID(b.stringVal(v.ID)) return &structs.CheckDefinition{ ID: id, Name: b.stringVal(v.Name), Notes: b.stringVal(v.Notes), ServiceID: b.stringVal(v.ServiceID), Token: b.stringVal(v.Token), Status: b.stringVal(v.Status), Script: b.stringVal(v.Script), ScriptArgs: v.ScriptArgs, HTTP: b.stringVal(v.HTTP), Header: v.Header, Method: b.stringVal(v.Method), TCP: b.stringVal(v.TCP), Interval: b.durationVal(fmt.Sprintf("check[%s].interval", id), v.Interval), DockerContainerID: b.stringVal(v.DockerContainerID), Shell: b.stringVal(v.Shell), TLSSkipVerify: b.boolVal(v.TLSSkipVerify), Timeout: b.durationVal(fmt.Sprintf("check[%s].timeout", id), v.Timeout), TTL: b.durationVal(fmt.Sprintf("check[%s].ttl", id), v.TTL), DeregisterCriticalServiceAfter: b.durationVal(fmt.Sprintf("check[%s].deregister_critical_service_after", id), v.DeregisterCriticalServiceAfter), } } func (b *Builder) serviceVal(v *ServiceDefinition) *structs.ServiceDefinition { if v == nil { return nil } var checks structs.CheckTypes for _, check := range v.Checks { checks = append(checks, b.checkVal(&check).CheckType()) } if v.Check != nil { checks = append(checks, b.checkVal(v.Check).CheckType()) } return &structs.ServiceDefinition{ ID: b.stringVal(v.ID), Name: b.stringVal(v.Name), Tags: v.Tags, Address: b.stringVal(v.Address), Port: b.intVal(v.Port), Token: b.stringVal(v.Token), EnableTagOverride: b.boolVal(v.EnableTagOverride), Checks: checks, } } func (b *Builder) boolVal(v *bool) bool { if v == nil { return false } return *v } func (b *Builder) durationVal(name string, v *string) (d time.Duration) { if v == nil { return 0 } d, err := time.ParseDuration(*v) if err != nil { b.err = multierror.Append(fmt.Errorf("%s: invalid duration: %q: %s", name, *v, err)) } return d } func (b *Builder) intVal(v *int) int { if v == nil { return 0 } return *v } func (b *Builder) portVal(name string, v *int) int { if v == nil || *v <= 0 { return -1 } if *v > 65535 { b.err = multierror.Append(b.err, fmt.Errorf("%s: invalid port: %d", name, *v)) } return *v } func (b *Builder) stringVal(v *string) string { if v == nil { return "" } return *v } func (b *Builder) float64Val(v *float64) float64 { if v == nil { return 0 } return *v } func (b *Builder) tlsCipherSuites(name string, v *string) []uint16 { if v == nil { return nil } var a []uint16 a, err := tlsutil.ParseCiphers(*v) if err != nil { b.err = multierror.Append(b.err, fmt.Errorf("%s: invalid tls cipher suites: %s", name, err)) } return a } func (b *Builder) nodeName(v *string) string { nodeName := b.stringVal(v) if nodeName == "" { fn := b.Hostname if fn == nil { fn = os.Hostname } name, err := fn() if err != nil { b.err = multierror.Append(b.err, fmt.Errorf("node_name: %s", err)) return "" } nodeName = name } return strings.TrimSpace(nodeName) } // expandAddrs expands the go-sockaddr template in s and returns the // result as a list of *net.IPAddr and *net.UnixAddr. func (b *Builder) expandAddrs(name string, s *string) []net.Addr { if s == nil || *s == "" { return nil } x, err := template.Parse(*s) if err != nil { b.err = multierror.Append(b.err, fmt.Errorf("%s: error parsing %q: %s", name, s, err)) return nil } var addrs []net.Addr for _, a := range strings.Fields(x) { switch { case strings.HasPrefix(a, "unix://"): addrs = append(addrs, &net.UnixAddr{Name: a[len("unix://"):], Net: "unix"}) default: // net.ParseIP does not like '[::]' ip := net.ParseIP(a) if a == "[::]" { ip = net.ParseIP("::") } if ip == nil { b.err = multierror.Append(b.err, fmt.Errorf("%s: invalid ip address: %s", name, a)) return nil } addrs = append(addrs, &net.IPAddr{IP: ip}) } } return addrs } // expandIPs expands the go-sockaddr template in s and returns a list of // *net.IPAddr. If one of the expanded addresses is a unix socket // address an error is set and nil is returned. func (b *Builder) expandIPs(name string, s *string) []*net.IPAddr { if s == nil || *s == "" { return nil } addrs := b.expandAddrs(name, s) var x []*net.IPAddr for _, addr := range addrs { switch a := addr.(type) { case *net.IPAddr: x = append(x, a) case *net.UnixAddr: b.err = multierror.Append(b.err, fmt.Errorf("%s cannot be a unix socket", name)) return nil default: b.err = multierror.Append(b.err, fmt.Errorf("%s has invalid address type %T", name, a)) return nil } } return x } // expandFirstAddr expands the go-sockaddr template in s and returns the // first address which is either a *net.IPAddr or a *net.UnixAddr. If // the template expands to multiple addresses an error is set and nil // is returned. func (b *Builder) expandFirstAddr(name string, s *string) net.Addr { if s == nil || *s == "" { return nil } addrs := b.expandAddrs(name, s) if len(addrs) == 0 { return nil } if len(addrs) > 1 { var x []string for _, a := range addrs { x = append(x, a.String()) } b.err = multierror.Append(b.err, fmt.Errorf("%s: multiple addresses found: %s", name, strings.Join(x, " "))) return nil } return addrs[0] } // expandFirstIP exapnds the go-sockaddr template in s and returns the // first address if it is not a unix socket address. If the template // expands to multiple addresses an error is set and nil is returned. func (b *Builder) expandFirstIP(name string, s *string) *net.IPAddr { if s == nil || *s == "" { return nil } addr := b.expandFirstAddr(name, s) if addr == nil { return nil } switch a := addr.(type) { case *net.IPAddr: return a case *net.UnixAddr: b.err = multierror.Append(b.err, fmt.Errorf("%s cannot be a unix socket", name)) return nil default: b.err = multierror.Append(b.err, fmt.Errorf("%s has invalid address type %T", name, a)) return nil } } func (b *Builder) makeIPAddr(pri *net.IPAddr, sec *net.IPAddr) *net.IPAddr { if pri != nil { return pri } return sec } func (b *Builder) makeTCPAddr(pri *net.IPAddr, sec net.Addr, port int) *net.TCPAddr { if pri == nil && reflect.ValueOf(sec).IsNil() || port <= 0 { return nil } addr := pri if addr == nil { switch a := sec.(type) { case *net.IPAddr: addr = a case *net.TCPAddr: addr = &net.IPAddr{IP: a.IP} default: panic(fmt.Sprintf("makeTCPAddr requires a net.IPAddr or a net.TCPAddr. Got %T", a)) } } return &net.TCPAddr{IP: addr.IP, Port: port} } // makeAddr creates an *net.TCPAddr or a *net.UnixAddr from either the // primary or secondary address and the given port. If the port is <= 0 // then the address is considered to be disabled and nil is returned. func (b *Builder) makeAddr(pri, sec net.Addr, port int) net.Addr { if reflect.ValueOf(pri).IsNil() && reflect.ValueOf(sec).IsNil() || port <= 0 { return nil } addr := pri if addr == nil { addr = sec } switch a := addr.(type) { case *net.IPAddr: return &net.TCPAddr{IP: a.IP, Port: port} case *net.UnixAddr: return a default: panic(fmt.Sprintf("invalid address type %T", a)) } } // makeAddrs creates a list of *net.TCPAddr or *net.UnixAddr entries // from either the primary or secondary addresses and the given port. // If the port is <= 0 then the address is considered to be disabled // and nil is returned. func (b *Builder) makeAddrs(pri []net.Addr, sec []*net.IPAddr, port int) []net.Addr { if len(pri) == 0 && len(sec) == 0 || port <= 0 { return nil } addrs := pri if len(addrs) == 0 { addrs = []net.Addr{} for _, a := range sec { addrs = append(addrs, a) } } var x []net.Addr for _, a := range addrs { x = append(x, b.makeAddr(a, nil, port)) } return x } // isUnixAddr returns true when the given address is a unix socket address type. func (b *Builder) isUnixAddr(a net.Addr) bool { _, ok := a.(*net.UnixAddr) return a != nil && ok } // decodeBytes returns the encryption key decoded. func decodeBytes(key string) ([]byte, error) { return base64.StdEncoding.DecodeString(key) } func isIPAddr(a net.Addr) bool { _, ok := a.(*net.IPAddr) return ok } func isUnixAddr(a net.Addr) bool { _, ok := a.(*net.UnixAddr) return ok }