package agent import ( "context" "fmt" "io" "io/ioutil" golog "log" "net" "os" "path/filepath" "runtime" "strings" "sync" "time" metrics "github.com/armon/go-metrics" consulapi "github.com/hashicorp/consul/api" log "github.com/hashicorp/go-hclog" uuidparse "github.com/hashicorp/go-uuid" "github.com/hashicorp/nomad/client" clientconfig "github.com/hashicorp/nomad/client/config" "github.com/hashicorp/nomad/client/lib/cgutil" "github.com/hashicorp/nomad/client/state" "github.com/hashicorp/nomad/command/agent/consul" "github.com/hashicorp/nomad/command/agent/event" "github.com/hashicorp/nomad/helper/bufconndialer" "github.com/hashicorp/nomad/helper/escapingfs" "github.com/hashicorp/nomad/helper/pluginutils/loader" "github.com/hashicorp/nomad/helper/uuid" "github.com/hashicorp/nomad/lib/cpuset" "github.com/hashicorp/nomad/nomad" "github.com/hashicorp/nomad/nomad/deploymentwatcher" "github.com/hashicorp/nomad/nomad/structs" "github.com/hashicorp/nomad/nomad/structs/config" "github.com/hashicorp/raft" ) const ( agentHttpCheckInterval = 10 * time.Second agentHttpCheckTimeout = 5 * time.Second serverRpcCheckInterval = 10 * time.Second serverRpcCheckTimeout = 3 * time.Second serverSerfCheckInterval = 10 * time.Second serverSerfCheckTimeout = 3 * time.Second // roles used in identifying Consul entries for Nomad agents consulRoleServer = "server" consulRoleClient = "client" // DefaultRaftMultiplier is used as a baseline Raft configuration that // will be reliable on a very basic server. DefaultRaftMultiplier = 1 // MaxRaftMultiplier is a fairly arbitrary upper bound that limits the // amount of performance detuning that's possible. MaxRaftMultiplier = 10 ) // Agent is a long running daemon that is used to run both // clients and servers. Servers are responsible for managing // state and making scheduling decisions. Clients can be // scheduled to, and are responsible for interfacing with // servers to run allocations. type Agent struct { config *Config configLock sync.Mutex logger log.InterceptLogger auditor event.Auditor httpLogger log.Logger logOutput io.Writer // EnterpriseAgent holds information and methods for enterprise functionality EnterpriseAgent *EnterpriseAgent // consulService is Nomad's custom Consul client for managing services // and checks. consulService *consul.ServiceClient // consulProxies is the subset of Consul's Agent API Nomad uses. consulProxies *consul.ConnectProxies // consulCatalog is the subset of Consul's Catalog API Nomad uses. consulCatalog consul.CatalogAPI // consulConfigEntries is the subset of Consul's Configuration Entries API Nomad uses. consulConfigEntries consul.ConfigAPI // consulACLs is Nomad's subset of Consul's ACL API Nomad uses. consulACLs consul.ACLsAPI // client is the launched Nomad Client. Can be nil if the agent isn't // configured to run a client. client *client.Client // server is the launched Nomad Server. Can be nil if the agent isn't // configured to run a server. server *nomad.Server // pluginLoader is used to load plugins pluginLoader loader.PluginCatalog // pluginSingletonLoader is a plugin loader that will returns singleton // instances of the plugins. pluginSingletonLoader loader.PluginCatalog shutdown bool shutdownCh chan struct{} shutdownLock sync.Mutex // builtinDialer dials the builtinListener. It is used for connecting // consul-template to the HTTP API in process. In the event this agent is // not running in client mode, these two fields will be nil. builtinListener net.Listener builtinDialer *bufconndialer.BufConnWrapper InmemSink *metrics.InmemSink } // NewAgent is used to create a new agent with the given configuration func NewAgent(config *Config, logger log.InterceptLogger, logOutput io.Writer, inmem *metrics.InmemSink) (*Agent, error) { a := &Agent{ config: config, logOutput: logOutput, shutdownCh: make(chan struct{}), InmemSink: inmem, } // Create the loggers a.logger = logger a.httpLogger = a.logger.ResetNamed("http") // Global logger should match internal logger as much as possible golog.SetFlags(golog.LstdFlags | golog.Lmicroseconds) if err := a.setupConsul(config.Consul); err != nil { return nil, fmt.Errorf("Failed to initialize Consul client: %v", err) } if err := a.setupPlugins(); err != nil { return nil, err } if err := a.setupServer(); err != nil { return nil, err } if err := a.setupClient(); err != nil { return nil, err } if err := a.setupEnterpriseAgent(logger); err != nil { return nil, err } if a.client == nil && a.server == nil { return nil, fmt.Errorf("must have at least client or server mode enabled") } return a, nil } // convertServerConfig takes an agent config and log output and returns a Nomad // Config. There may be missing fields that must be set by the agent. To do this // call finalizeServerConfig func convertServerConfig(agentConfig *Config) (*nomad.Config, error) { conf := agentConfig.NomadConfig if conf == nil { conf = nomad.DefaultConfig() } conf.DevMode = agentConfig.DevMode conf.EnableDebug = agentConfig.EnableDebug conf.Build = agentConfig.Version.VersionNumber() conf.Revision = agentConfig.Version.Revision if agentConfig.Region != "" { conf.Region = agentConfig.Region } // Set the Authoritative Region if set, otherwise default to // the same as the local region. if agentConfig.Server.AuthoritativeRegion != "" { conf.AuthoritativeRegion = agentConfig.Server.AuthoritativeRegion } else if agentConfig.Region != "" { conf.AuthoritativeRegion = agentConfig.Region } if agentConfig.Datacenter != "" { conf.Datacenter = agentConfig.Datacenter } if agentConfig.NodeName != "" { conf.NodeName = agentConfig.NodeName } if agentConfig.Server.BootstrapExpect > 0 { conf.BootstrapExpect = agentConfig.Server.BootstrapExpect } if agentConfig.DataDir != "" { conf.DataDir = filepath.Join(agentConfig.DataDir, "server") } if agentConfig.Server.DataDir != "" { conf.DataDir = agentConfig.Server.DataDir } if agentConfig.Server.RaftProtocol != 0 { conf.RaftConfig.ProtocolVersion = raft.ProtocolVersion(agentConfig.Server.RaftProtocol) } if v := conf.RaftConfig.ProtocolVersion; v != 3 { return nil, fmt.Errorf("raft_protocol must be 3 in Nomad v1.4 and later, got %d", v) } raftMultiplier := int(DefaultRaftMultiplier) if agentConfig.Server.RaftMultiplier != nil && *agentConfig.Server.RaftMultiplier != 0 { raftMultiplier = *agentConfig.Server.RaftMultiplier if raftMultiplier < 1 || raftMultiplier > MaxRaftMultiplier { return nil, fmt.Errorf("raft_multiplier cannot be %d. Must be between 1 and %d", *agentConfig.Server.RaftMultiplier, MaxRaftMultiplier) } } conf.RaftConfig.ElectionTimeout *= time.Duration(raftMultiplier) conf.RaftConfig.HeartbeatTimeout *= time.Duration(raftMultiplier) conf.RaftConfig.LeaderLeaseTimeout *= time.Duration(raftMultiplier) conf.RaftConfig.CommitTimeout *= time.Duration(raftMultiplier) if agentConfig.Server.NumSchedulers != nil { conf.NumSchedulers = *agentConfig.Server.NumSchedulers } if len(agentConfig.Server.EnabledSchedulers) != 0 { // Convert to a set and require the core scheduler set := make(map[string]struct{}, 4) set[structs.JobTypeCore] = struct{}{} for _, sched := range agentConfig.Server.EnabledSchedulers { set[sched] = struct{}{} } schedulers := make([]string, 0, len(set)) for k := range set { schedulers = append(schedulers, k) } conf.EnabledSchedulers = schedulers } if agentConfig.ACL.Enabled { conf.ACLEnabled = true } if agentConfig.ACL.ReplicationToken != "" { conf.ReplicationToken = agentConfig.ACL.ReplicationToken } if agentConfig.ACL.TokenMinExpirationTTL != 0 { conf.ACLTokenMinExpirationTTL = agentConfig.ACL.TokenMinExpirationTTL } if agentConfig.ACL.TokenMaxExpirationTTL != 0 { conf.ACLTokenMaxExpirationTTL = agentConfig.ACL.TokenMaxExpirationTTL } if agentConfig.Sentinel != nil { conf.SentinelConfig = agentConfig.Sentinel } if agentConfig.Server.NonVotingServer { conf.NonVoter = true } if agentConfig.Server.RedundancyZone != "" { conf.RedundancyZone = agentConfig.Server.RedundancyZone } if agentConfig.Server.UpgradeVersion != "" { conf.UpgradeVersion = agentConfig.Server.UpgradeVersion } if agentConfig.Server.EnableEventBroker != nil { conf.EnableEventBroker = *agentConfig.Server.EnableEventBroker } if agentConfig.Server.EventBufferSize != nil { if *agentConfig.Server.EventBufferSize < 0 { return nil, fmt.Errorf("Invalid Config, event_buffer_size must be non-negative") } conf.EventBufferSize = int64(*agentConfig.Server.EventBufferSize) } if agentConfig.Autopilot != nil { if agentConfig.Autopilot.CleanupDeadServers != nil { conf.AutopilotConfig.CleanupDeadServers = *agentConfig.Autopilot.CleanupDeadServers } if agentConfig.Autopilot.ServerStabilizationTime != 0 { conf.AutopilotConfig.ServerStabilizationTime = agentConfig.Autopilot.ServerStabilizationTime } if agentConfig.Autopilot.LastContactThreshold != 0 { conf.AutopilotConfig.LastContactThreshold = agentConfig.Autopilot.LastContactThreshold } if agentConfig.Autopilot.MaxTrailingLogs != 0 { conf.AutopilotConfig.MaxTrailingLogs = uint64(agentConfig.Autopilot.MaxTrailingLogs) } if agentConfig.Autopilot.MinQuorum != 0 { conf.AutopilotConfig.MinQuorum = uint(agentConfig.Autopilot.MinQuorum) } if agentConfig.Autopilot.EnableRedundancyZones != nil { conf.AutopilotConfig.EnableRedundancyZones = *agentConfig.Autopilot.EnableRedundancyZones } if agentConfig.Autopilot.DisableUpgradeMigration != nil { conf.AutopilotConfig.DisableUpgradeMigration = *agentConfig.Autopilot.DisableUpgradeMigration } if agentConfig.Autopilot.EnableCustomUpgrades != nil { conf.AutopilotConfig.EnableCustomUpgrades = *agentConfig.Autopilot.EnableCustomUpgrades } } // Set up the bind addresses rpcAddr, err := net.ResolveTCPAddr("tcp", agentConfig.normalizedAddrs.RPC) if err != nil { return nil, fmt.Errorf("Failed to parse RPC address %q: %v", agentConfig.normalizedAddrs.RPC, err) } serfAddr, err := net.ResolveTCPAddr("tcp", agentConfig.normalizedAddrs.Serf) if err != nil { return nil, fmt.Errorf("Failed to parse Serf address %q: %v", agentConfig.normalizedAddrs.Serf, err) } conf.RPCAddr.Port = rpcAddr.Port conf.RPCAddr.IP = rpcAddr.IP conf.SerfConfig.MemberlistConfig.BindPort = serfAddr.Port conf.SerfConfig.MemberlistConfig.BindAddr = serfAddr.IP.String() // Set up the advertise addresses rpcAddr, err = net.ResolveTCPAddr("tcp", agentConfig.AdvertiseAddrs.RPC) if err != nil { return nil, fmt.Errorf("Failed to parse RPC advertise address %q: %v", agentConfig.AdvertiseAddrs.RPC, err) } serfAddr, err = net.ResolveTCPAddr("tcp", agentConfig.AdvertiseAddrs.Serf) if err != nil { return nil, fmt.Errorf("Failed to parse Serf advertise address %q: %v", agentConfig.AdvertiseAddrs.Serf, err) } // Server address is the serf advertise address and rpc port. This is the // address that all servers should be able to communicate over RPC with. serverAddr, err := net.ResolveTCPAddr("tcp", net.JoinHostPort(serfAddr.IP.String(), fmt.Sprintf("%d", rpcAddr.Port))) if err != nil { return nil, fmt.Errorf("Failed to resolve Serf advertise address %q: %v", agentConfig.AdvertiseAddrs.Serf, err) } conf.SerfConfig.MemberlistConfig.AdvertiseAddr = serfAddr.IP.String() conf.SerfConfig.MemberlistConfig.AdvertisePort = serfAddr.Port conf.ClientRPCAdvertise = rpcAddr conf.ServerRPCAdvertise = serverAddr // Set up gc threshold and heartbeat grace period if gcThreshold := agentConfig.Server.NodeGCThreshold; gcThreshold != "" { dur, err := time.ParseDuration(gcThreshold) if err != nil { return nil, err } conf.NodeGCThreshold = dur } if gcInterval := agentConfig.Server.JobGCInterval; gcInterval != "" { dur, err := time.ParseDuration(gcInterval) if err != nil { return nil, fmt.Errorf("failed to parse job_gc_interval: %v", err) } else if dur <= time.Duration(0) { return nil, fmt.Errorf("job_gc_interval should be greater than 0s") } conf.JobGCInterval = dur } if gcThreshold := agentConfig.Server.JobGCThreshold; gcThreshold != "" { dur, err := time.ParseDuration(gcThreshold) if err != nil { return nil, err } conf.JobGCThreshold = dur } if gcThreshold := agentConfig.Server.EvalGCThreshold; gcThreshold != "" { dur, err := time.ParseDuration(gcThreshold) if err != nil { return nil, err } conf.EvalGCThreshold = dur } if gcThreshold := agentConfig.Server.DeploymentGCThreshold; gcThreshold != "" { dur, err := time.ParseDuration(gcThreshold) if err != nil { return nil, err } conf.DeploymentGCThreshold = dur } if gcThreshold := agentConfig.Server.CSIVolumeClaimGCThreshold; gcThreshold != "" { dur, err := time.ParseDuration(gcThreshold) if err != nil { return nil, err } conf.CSIVolumeClaimGCThreshold = dur } if gcThreshold := agentConfig.Server.CSIPluginGCThreshold; gcThreshold != "" { dur, err := time.ParseDuration(gcThreshold) if err != nil { return nil, err } conf.CSIPluginGCThreshold = dur } if gcThreshold := agentConfig.Server.ACLTokenGCThreshold; gcThreshold != "" { dur, err := time.ParseDuration(gcThreshold) if err != nil { return nil, err } conf.ACLTokenExpirationGCThreshold = dur } if gcThreshold := agentConfig.Server.RootKeyGCThreshold; gcThreshold != "" { dur, err := time.ParseDuration(gcThreshold) if err != nil { return nil, err } conf.RootKeyGCThreshold = dur } if gcInterval := agentConfig.Server.RootKeyGCInterval; gcInterval != "" { dur, err := time.ParseDuration(gcInterval) if err != nil { return nil, err } conf.RootKeyGCInterval = dur } if rotationThreshold := agentConfig.Server.RootKeyRotationThreshold; rotationThreshold != "" { dur, err := time.ParseDuration(rotationThreshold) if err != nil { return nil, err } conf.RootKeyRotationThreshold = dur } if heartbeatGrace := agentConfig.Server.HeartbeatGrace; heartbeatGrace != 0 { conf.HeartbeatGrace = heartbeatGrace } if min := agentConfig.Server.MinHeartbeatTTL; min != 0 { conf.MinHeartbeatTTL = min } if maxHPS := agentConfig.Server.MaxHeartbeatsPerSecond; maxHPS != 0 { conf.MaxHeartbeatsPerSecond = maxHPS } if failoverTTL := agentConfig.Server.FailoverHeartbeatTTL; failoverTTL != 0 { conf.FailoverHeartbeatTTL = failoverTTL } if *agentConfig.Consul.AutoAdvertise && agentConfig.Consul.ServerServiceName == "" { return nil, fmt.Errorf("server_service_name must be set when auto_advertise is enabled") } // handle system scheduler preemption default if agentConfig.Server.DefaultSchedulerConfig != nil { conf.DefaultSchedulerConfig = *agentConfig.Server.DefaultSchedulerConfig } // Add the Consul and Vault configs conf.ConsulConfig = agentConfig.Consul conf.VaultConfig = agentConfig.Vault // Set the TLS config conf.TLSConfig = agentConfig.TLSConfig // Setup telemetry related config conf.StatsCollectionInterval = agentConfig.Telemetry.collectionInterval conf.DisableDispatchedJobSummaryMetrics = agentConfig.Telemetry.DisableDispatchedJobSummaryMetrics if d, err := time.ParseDuration(agentConfig.Limits.RPCHandshakeTimeout); err != nil { return nil, fmt.Errorf("error parsing rpc_handshake_timeout: %v", err) } else if d < 0 { return nil, fmt.Errorf("rpc_handshake_timeout must be >= 0") } else { conf.RPCHandshakeTimeout = d } // Set max rpc conns; nil/0 == unlimited // Leave a little room for streaming RPCs minLimit := config.LimitsNonStreamingConnsPerClient + 5 if agentConfig.Limits.RPCMaxConnsPerClient == nil || *agentConfig.Limits.RPCMaxConnsPerClient == 0 { conf.RPCMaxConnsPerClient = 0 } else if limit := *agentConfig.Limits.RPCMaxConnsPerClient; limit <= minLimit { return nil, fmt.Errorf("rpc_max_conns_per_client must be > %d; found: %d", minLimit, limit) } else { conf.RPCMaxConnsPerClient = limit } // Set deployment rate limit if rate := agentConfig.Server.DeploymentQueryRateLimit; rate == 0 { conf.DeploymentQueryRateLimit = deploymentwatcher.LimitStateQueriesPerSecond } else if rate > 0 { conf.DeploymentQueryRateLimit = rate } else { return nil, fmt.Errorf("deploy_query_rate_limit must be greater than 0") } // Set plan rejection tracker configuration. if planRejectConf := agentConfig.Server.PlanRejectionTracker; planRejectConf != nil { if planRejectConf.Enabled != nil { conf.NodePlanRejectionEnabled = *planRejectConf.Enabled } conf.NodePlanRejectionThreshold = planRejectConf.NodeThreshold if planRejectConf.NodeWindow == 0 { return nil, fmt.Errorf("plan_rejection_tracker.node_window must be greater than 0") } else { conf.NodePlanRejectionWindow = planRejectConf.NodeWindow } } // Add Enterprise license configs conf.LicenseEnv = agentConfig.Server.LicenseEnv conf.LicensePath = agentConfig.Server.LicensePath conf.LicenseConfig.AdditionalPubKeys = agentConfig.Server.licenseAdditionalPublicKeys // Add the search configuration if search := agentConfig.Server.Search; search != nil { conf.SearchConfig = &structs.SearchConfig{ FuzzyEnabled: search.FuzzyEnabled, LimitQuery: search.LimitQuery, LimitResults: search.LimitResults, MinTermLength: search.MinTermLength, } } // Set the raft bolt parameters if bolt := agentConfig.Server.RaftBoltConfig; bolt != nil { conf.RaftBoltNoFreelistSync = bolt.NoFreelistSync } return conf, nil } // serverConfig is used to generate a new server configuration struct // for initializing a nomad server. func (a *Agent) serverConfig() (*nomad.Config, error) { c, err := convertServerConfig(a.config) if err != nil { return nil, err } a.finalizeServerConfig(c) return c, nil } // finalizeServerConfig sets configuration fields on the server config that are // not staticly convertable and are from the agent. func (a *Agent) finalizeServerConfig(c *nomad.Config) { // Setup the logging c.Logger = a.logger c.LogOutput = a.logOutput // Setup the plugin loaders c.PluginLoader = a.pluginLoader c.PluginSingletonLoader = a.pluginSingletonLoader c.AgentShutdown = func() error { return a.Shutdown() } } // clientConfig is used to generate a new client configuration struct for // initializing a Nomad client. func (a *Agent) clientConfig() (*clientconfig.Config, error) { c, err := convertClientConfig(a.config) if err != nil { return nil, err } if err := a.finalizeClientConfig(c); err != nil { return nil, err } return c, nil } // finalizeClientConfig sets configuration fields on the client config that are // not staticly convertable and are from the agent. func (a *Agent) finalizeClientConfig(c *clientconfig.Config) error { // Setup the logging c.Logger = a.logger // If we are running a server, append both its bind and advertise address so // we are able to at least talk to the local server even if that isn't // configured explicitly. This handles both running server and client on one // host and -dev mode. if a.server != nil { advertised := a.config.AdvertiseAddrs normalized := a.config.normalizedAddrs if advertised == nil || advertised.RPC == "" { return fmt.Errorf("AdvertiseAddrs is nil or empty") } else if normalized == nil || normalized.RPC == "" { return fmt.Errorf("normalizedAddrs is nil or empty") } if normalized.RPC == advertised.RPC { c.Servers = append(c.Servers, normalized.RPC) } else { c.Servers = append(c.Servers, normalized.RPC, advertised.RPC) } } // Setup the plugin loaders c.PluginLoader = a.pluginLoader c.PluginSingletonLoader = a.pluginSingletonLoader // Log deprecation messages about Consul related configuration in client // options var invalidConsulKeys []string for key := range c.Options { if strings.HasPrefix(key, "consul") { invalidConsulKeys = append(invalidConsulKeys, fmt.Sprintf("options.%s", key)) } } if len(invalidConsulKeys) > 0 { a.logger.Warn("invalid consul keys", "keys", strings.Join(invalidConsulKeys, ",")) a.logger.Warn(`Nomad client ignores consul related configuration in client options. Please refer to the guide https://www.nomadproject.io/docs/agent/configuration/consul.html to configure Nomad to work with Consul.`) } return nil } // convertClientConfig takes an agent config and log output and returns a client // Config. There may be missing fields that must be set by the agent. To do this // call finalizeServerConfig func convertClientConfig(agentConfig *Config) (*clientconfig.Config, error) { // Set up the configuration conf := agentConfig.ClientConfig if conf == nil { conf = clientconfig.DefaultConfig() } conf.Servers = agentConfig.Client.Servers conf.DevMode = agentConfig.DevMode conf.EnableDebug = agentConfig.EnableDebug if agentConfig.Region != "" { conf.Region = agentConfig.Region } if agentConfig.DataDir != "" { conf.StateDir = filepath.Join(agentConfig.DataDir, "client") conf.AllocDir = filepath.Join(agentConfig.DataDir, "alloc") } if agentConfig.Client.StateDir != "" { conf.StateDir = agentConfig.Client.StateDir } if agentConfig.Client.AllocDir != "" { conf.AllocDir = agentConfig.Client.AllocDir } if agentConfig.Client.NetworkInterface != "" { conf.NetworkInterface = agentConfig.Client.NetworkInterface } conf.ChrootEnv = agentConfig.Client.ChrootEnv conf.Options = agentConfig.Client.Options if agentConfig.Client.NetworkSpeed != 0 { conf.NetworkSpeed = agentConfig.Client.NetworkSpeed } if agentConfig.Client.CpuCompute != 0 { conf.CpuCompute = agentConfig.Client.CpuCompute } if agentConfig.Client.MemoryMB != 0 { conf.MemoryMB = agentConfig.Client.MemoryMB } if agentConfig.Client.MaxKillTimeout != "" { dur, err := time.ParseDuration(agentConfig.Client.MaxKillTimeout) if err != nil { return nil, fmt.Errorf("Error parsing max kill timeout: %s", err) } conf.MaxKillTimeout = dur } conf.ClientMaxPort = uint(agentConfig.Client.ClientMaxPort) conf.ClientMinPort = uint(agentConfig.Client.ClientMinPort) conf.MaxDynamicPort = agentConfig.Client.MaxDynamicPort conf.MinDynamicPort = agentConfig.Client.MinDynamicPort conf.DisableRemoteExec = agentConfig.Client.DisableRemoteExec if agentConfig.Client.TemplateConfig != nil { conf.TemplateConfig = agentConfig.Client.TemplateConfig.Copy() } hvMap := make(map[string]*structs.ClientHostVolumeConfig, len(agentConfig.Client.HostVolumes)) for _, v := range agentConfig.Client.HostVolumes { hvMap[v.Name] = v } conf.HostVolumes = hvMap // Setup the node conf.Node = new(structs.Node) conf.Node.Datacenter = agentConfig.Datacenter conf.Node.Name = agentConfig.NodeName conf.Node.Meta = agentConfig.Client.Meta conf.Node.NodeClass = agentConfig.Client.NodeClass // Set up the HTTP advertise address conf.Node.HTTPAddr = agentConfig.AdvertiseAddrs.HTTP // Canonicalize Node struct conf.Node.Canonicalize() // Reserve resources on the node. // COMPAT(0.10): Remove in 0.10 r := conf.Node.Reserved if r == nil { r = new(structs.Resources) conf.Node.Reserved = r } r.CPU = agentConfig.Client.Reserved.CPU r.MemoryMB = agentConfig.Client.Reserved.MemoryMB r.DiskMB = agentConfig.Client.Reserved.DiskMB res := conf.Node.ReservedResources if res == nil { res = new(structs.NodeReservedResources) conf.Node.ReservedResources = res } res.Cpu.CpuShares = int64(agentConfig.Client.Reserved.CPU) res.Memory.MemoryMB = int64(agentConfig.Client.Reserved.MemoryMB) res.Disk.DiskMB = int64(agentConfig.Client.Reserved.DiskMB) res.Networks.ReservedHostPorts = agentConfig.Client.Reserved.ReservedPorts if agentConfig.Client.Reserved.Cores != "" { cores, err := cpuset.Parse(agentConfig.Client.Reserved.Cores) if err != nil { return nil, fmt.Errorf("failed to parse client > reserved > cores value %q: %v", agentConfig.Client.Reserved.Cores, err) } res.Cpu.ReservedCpuCores = cores.ToSlice() } conf.Version = agentConfig.Version if *agentConfig.Consul.AutoAdvertise && agentConfig.Consul.ClientServiceName == "" { return nil, fmt.Errorf("client_service_name must be set when auto_advertise is enabled") } conf.ConsulConfig = agentConfig.Consul conf.VaultConfig = agentConfig.Vault // Set up Telemetry configuration conf.StatsCollectionInterval = agentConfig.Telemetry.collectionInterval conf.PublishNodeMetrics = agentConfig.Telemetry.PublishNodeMetrics conf.PublishAllocationMetrics = agentConfig.Telemetry.PublishAllocationMetrics // Set the TLS related configs conf.TLSConfig = agentConfig.TLSConfig conf.Node.TLSEnabled = conf.TLSConfig.EnableHTTP // Set the GC related configs conf.GCInterval = agentConfig.Client.GCInterval conf.GCParallelDestroys = agentConfig.Client.GCParallelDestroys conf.GCDiskUsageThreshold = agentConfig.Client.GCDiskUsageThreshold conf.GCInodeUsageThreshold = agentConfig.Client.GCInodeUsageThreshold conf.GCMaxAllocs = agentConfig.Client.GCMaxAllocs if agentConfig.Client.NoHostUUID != nil { conf.NoHostUUID = *agentConfig.Client.NoHostUUID } else { // Default no_host_uuid to true conf.NoHostUUID = true } // Setup the ACLs conf.ACLEnabled = agentConfig.ACL.Enabled conf.ACLTokenTTL = agentConfig.ACL.TokenTTL conf.ACLPolicyTTL = agentConfig.ACL.PolicyTTL conf.ACLRoleTTL = agentConfig.ACL.RoleTTL // Setup networking configuration conf.CNIPath = agentConfig.Client.CNIPath conf.CNIConfigDir = agentConfig.Client.CNIConfigDir conf.BridgeNetworkName = agentConfig.Client.BridgeNetworkName conf.BridgeNetworkAllocSubnet = agentConfig.Client.BridgeNetworkSubnet for _, hn := range agentConfig.Client.HostNetworks { conf.HostNetworks[hn.Name] = hn } conf.BindWildcardDefaultHostNetwork = agentConfig.Client.BindWildcardDefaultHostNetwork conf.CgroupParent = cgutil.GetCgroupParent(agentConfig.Client.CgroupParent) if agentConfig.Client.ReserveableCores != "" { cores, err := cpuset.Parse(agentConfig.Client.ReserveableCores) if err != nil { return nil, fmt.Errorf("failed to parse 'reservable_cores': %v", err) } conf.ReservableCores = cores.ToSlice() } if agentConfig.Client.NomadServiceDiscovery != nil { conf.NomadServiceDiscovery = *agentConfig.Client.NomadServiceDiscovery } artifactConfig, err := clientconfig.ArtifactConfigFromAgent(agentConfig.Client.Artifact) if err != nil { return nil, fmt.Errorf("invalid artifact config: %v", err) } conf.Artifact = artifactConfig return conf, nil } // setupServer is used to setup the server if enabled func (a *Agent) setupServer() error { if !a.config.Server.Enabled { return nil } // Setup the configuration conf, err := a.serverConfig() if err != nil { return fmt.Errorf("server config setup failed: %s", err) } // Generate a node ID and persist it if it is the first instance, otherwise // read the persisted node ID. if err := a.setupNodeID(conf); err != nil { return fmt.Errorf("setting up server node ID failed: %s", err) } // Sets up the keyring for gossip encryption if err := a.setupKeyrings(conf); err != nil { return fmt.Errorf("failed to configure keyring: %v", err) } // Create the server server, err := nomad.NewServer(conf, a.consulCatalog, a.consulConfigEntries, a.consulACLs) if err != nil { return fmt.Errorf("server setup failed: %v", err) } a.server = server // Consul check addresses default to bind but can be toggled to use advertise rpcCheckAddr := a.config.normalizedAddrs.RPC serfCheckAddr := a.config.normalizedAddrs.Serf if *a.config.Consul.ChecksUseAdvertise { rpcCheckAddr = a.config.AdvertiseAddrs.RPC serfCheckAddr = a.config.AdvertiseAddrs.Serf } // Create the Nomad Server services for Consul if *a.config.Consul.AutoAdvertise { httpServ := &structs.Service{ Name: a.config.Consul.ServerServiceName, PortLabel: a.config.AdvertiseAddrs.HTTP, Tags: append([]string{consul.ServiceTagHTTP}, a.config.Consul.Tags...), } const isServer = true if check := a.agentHTTPCheck(isServer); check != nil { httpServ.Checks = []*structs.ServiceCheck{check} } rpcServ := &structs.Service{ Name: a.config.Consul.ServerServiceName, PortLabel: a.config.AdvertiseAddrs.RPC, Tags: append([]string{consul.ServiceTagRPC}, a.config.Consul.Tags...), Checks: []*structs.ServiceCheck{ { Name: a.config.Consul.ServerRPCCheckName, Type: "tcp", Interval: serverRpcCheckInterval, Timeout: serverRpcCheckTimeout, PortLabel: rpcCheckAddr, }, }, } serfServ := &structs.Service{ Name: a.config.Consul.ServerServiceName, PortLabel: a.config.AdvertiseAddrs.Serf, Tags: append([]string{consul.ServiceTagSerf}, a.config.Consul.Tags...), Checks: []*structs.ServiceCheck{ { Name: a.config.Consul.ServerSerfCheckName, Type: "tcp", Interval: serverSerfCheckInterval, Timeout: serverSerfCheckTimeout, PortLabel: serfCheckAddr, }, }, } // Add the http port check if TLS isn't enabled consulServices := []*structs.Service{ rpcServ, serfServ, httpServ, } if err := a.consulService.RegisterAgent(consulRoleServer, consulServices); err != nil { return err } } return nil } // setupNodeID will pull the persisted node ID, if any, or create a random one // and persist it. func (a *Agent) setupNodeID(config *nomad.Config) error { // For dev mode we have no filesystem access so just make a node ID. if a.config.DevMode { config.NodeID = uuid.Generate() return nil } // Load saved state, if any. Since a user could edit this, we also // validate it. Saved state overwrites any configured node id fileID := filepath.Join(config.DataDir, "node-id") if _, err := os.Stat(fileID); err == nil { rawID, err := ioutil.ReadFile(fileID) if err != nil { return err } nodeID := strings.TrimSpace(string(rawID)) nodeID = strings.ToLower(nodeID) if _, err := uuidparse.ParseUUID(nodeID); err != nil { return err } config.NodeID = nodeID return nil } // If they've configured a node ID manually then just use that, as // long as it's valid. if config.NodeID != "" { config.NodeID = strings.ToLower(config.NodeID) if _, err := uuidparse.ParseUUID(config.NodeID); err != nil { return err } // Persist this configured nodeID to our data directory if err := escapingfs.EnsurePath(fileID, false); err != nil { return err } if err := ioutil.WriteFile(fileID, []byte(config.NodeID), 0600); err != nil { return err } return nil } // If we still don't have a valid node ID, make one. if config.NodeID == "" { id := uuid.Generate() if err := escapingfs.EnsurePath(fileID, false); err != nil { return err } if err := ioutil.WriteFile(fileID, []byte(id), 0600); err != nil { return err } config.NodeID = id } return nil } // setupKeyrings is used to initialize and load keyrings during agent startup func (a *Agent) setupKeyrings(config *nomad.Config) error { file := filepath.Join(a.config.DataDir, serfKeyring) if a.config.Server.EncryptKey == "" { goto LOAD } if _, err := os.Stat(file); err != nil { if err := initKeyring(file, a.config.Server.EncryptKey, a.logger); err != nil { return err } } LOAD: if _, err := os.Stat(file); err == nil { config.SerfConfig.KeyringFile = file } if err := loadKeyringFile(config.SerfConfig); err != nil { return err } // Success! return nil } // setupClient is used to setup the client if enabled func (a *Agent) setupClient() error { if !a.config.Client.Enabled { return nil } // Setup the configuration conf, err := a.clientConfig() if err != nil { return fmt.Errorf("client setup failed: %v", err) } // Reserve some ports for the plugins if we are on Windows if runtime.GOOS == "windows" { if err := a.reservePortsForClient(conf); err != nil { return err } } if conf.StateDBFactory == nil { conf.StateDBFactory = state.GetStateDBFactory(conf.DevMode) } // Set up a custom listener and dialer. This is used by Nomad clients when // running consul-template functions that utilise the Nomad API. We lazy // load this into the client config, therefore this needs to happen before // we call NewClient. a.builtinListener, a.builtinDialer = bufconndialer.New() conf.TemplateDialer = a.builtinDialer nomadClient, err := client.NewClient( conf, a.consulCatalog, a.consulProxies, a.consulService, nil) if err != nil { return fmt.Errorf("client setup failed: %v", err) } a.client = nomadClient // Create the Nomad Client services for Consul if *a.config.Consul.AutoAdvertise { httpServ := &structs.Service{ Name: a.config.Consul.ClientServiceName, PortLabel: a.config.AdvertiseAddrs.HTTP, Tags: append([]string{consul.ServiceTagHTTP}, a.config.Consul.Tags...), } const isServer = false if check := a.agentHTTPCheck(isServer); check != nil { httpServ.Checks = []*structs.ServiceCheck{check} } if err := a.consulService.RegisterAgent(consulRoleClient, []*structs.Service{httpServ}); err != nil { return err } } return nil } // agentHTTPCheck returns a health check for the agent's HTTP API if possible. // If no HTTP health check can be supported nil is returned. func (a *Agent) agentHTTPCheck(server bool) *structs.ServiceCheck { // Resolve the http check address httpCheckAddr := a.config.normalizedAddrs.HTTP[0] if *a.config.Consul.ChecksUseAdvertise { httpCheckAddr = a.config.AdvertiseAddrs.HTTP } check := structs.ServiceCheck{ Name: a.config.Consul.ClientHTTPCheckName, Type: "http", Path: "/v1/agent/health?type=client", Protocol: "http", Interval: agentHttpCheckInterval, Timeout: agentHttpCheckTimeout, PortLabel: httpCheckAddr, } // Switch to endpoint that doesn't require a leader for servers if server { check.Name = a.config.Consul.ServerHTTPCheckName check.Path = "/v1/agent/health?type=server" } if !a.config.TLSConfig.EnableHTTP { // No HTTPS, return a plain http check return &check } if a.config.TLSConfig.VerifyHTTPSClient { a.logger.Warn("not registering Nomad HTTPS Health Check because verify_https_client enabled") return nil } // HTTPS enabled; skip verification check.Protocol = "https" check.TLSSkipVerify = true return &check } // reservePortsForClient reserves a range of ports for the client to use when // it creates various plugins for log collection, executors, drivers, etc func (a *Agent) reservePortsForClient(conf *clientconfig.Config) error { if conf.Node.ReservedResources == nil { conf.Node.ReservedResources = &structs.NodeReservedResources{} } res := conf.Node.ReservedResources.Networks.ReservedHostPorts if res == "" { res = fmt.Sprintf("%d-%d", conf.ClientMinPort, conf.ClientMaxPort) } else { res += fmt.Sprintf(",%d-%d", conf.ClientMinPort, conf.ClientMaxPort) } conf.Node.ReservedResources.Networks.ReservedHostPorts = res return nil } // Leave is used gracefully exit. Clients will inform servers // of their departure so that allocations can be rescheduled. func (a *Agent) Leave() error { if a.client != nil { if err := a.client.Leave(); err != nil { a.logger.Error("client leave failed", "error", err) } } if a.server != nil { if err := a.server.Leave(); err != nil { a.logger.Error("server leave failed", "error", err) } } return nil } // Shutdown is used to terminate the agent. func (a *Agent) Shutdown() error { a.shutdownLock.Lock() defer a.shutdownLock.Unlock() if a.shutdown { return nil } a.logger.Info("requesting shutdown") if a.client != nil { if err := a.client.Shutdown(); err != nil { a.logger.Error("client shutdown failed", "error", err) } } if a.server != nil { if err := a.server.Shutdown(); err != nil { a.logger.Error("server shutdown failed", "error", err) } } if err := a.consulService.Shutdown(); err != nil { a.logger.Error("shutting down Consul client failed", "error", err) } a.logger.Info("shutdown complete") a.shutdown = true close(a.shutdownCh) return nil } // RPC is used to make an RPC call to the Nomad servers func (a *Agent) RPC(method string, args interface{}, reply interface{}) error { if a.server != nil { return a.server.RPC(method, args, reply) } return a.client.RPC(method, args, reply) } // Client returns the configured client or nil func (a *Agent) Client() *client.Client { return a.client } // Server returns the configured server or nil func (a *Agent) Server() *nomad.Server { return a.server } // Stats is used to return statistics for debugging and insight // for various sub-systems func (a *Agent) Stats() map[string]map[string]string { stats := make(map[string]map[string]string) if a.server != nil { subStat := a.server.Stats() for k, v := range subStat { stats[k] = v } } if a.client != nil { subStat := a.client.Stats() for k, v := range subStat { stats[k] = v } } return stats } // ShouldReload determines if we should reload the configuration and agent // connections. If the TLS Configuration has not changed, we shouldn't reload. func (a *Agent) ShouldReload(newConfig *Config) (agent, http bool) { a.configLock.Lock() defer a.configLock.Unlock() if newConfig.LogLevel != "" && newConfig.LogLevel != a.config.LogLevel { agent = true } isEqual, err := a.config.TLSConfig.CertificateInfoIsEqual(newConfig.TLSConfig) if err != nil { a.logger.Error("parsing TLS certificate", "error", err) return agent, false } else if !isEqual { return true, true } // Allow the ability to only reload HTTP connections if a.config.TLSConfig.EnableHTTP != newConfig.TLSConfig.EnableHTTP { http = true agent = true } // Allow the ability to only reload HTTP connections if a.config.TLSConfig.EnableRPC != newConfig.TLSConfig.EnableRPC { agent = true } if a.config.TLSConfig.RPCUpgradeMode != newConfig.TLSConfig.RPCUpgradeMode { agent = true } return agent, http } // Reload handles configuration changes for the agent. Provides a method that // is easier to unit test, as this action is invoked via SIGHUP. func (a *Agent) Reload(newConfig *Config) error { a.configLock.Lock() defer a.configLock.Unlock() current := a.config.Copy() updatedLogging := newConfig != nil && (newConfig.LogLevel != current.LogLevel) if newConfig == nil || newConfig.TLSConfig == nil && !updatedLogging { return fmt.Errorf("cannot reload agent with nil configuration") } if updatedLogging { current.LogLevel = newConfig.LogLevel a.logger.SetLevel(log.LevelFromString(current.LogLevel)) } // Update eventer config if newConfig.Audit != nil { if err := a.entReloadEventer(newConfig.Audit); err != nil { return err } } // Allow auditor to call reopen regardless of config changes // This is primarily for enterprise audit logging to allow the underlying // file to be reopened if necessary if err := a.auditor.Reopen(); err != nil { return err } fullUpdateTLSConfig := func() { // Completely reload the agent's TLS configuration (moving from non-TLS to // TLS, or vice versa) // This does not handle errors in loading the new TLS configuration current.TLSConfig = newConfig.TLSConfig.Copy() } if !current.TLSConfig.IsEmpty() && !newConfig.TLSConfig.IsEmpty() { // This is just a TLS configuration reload, we don't need to refresh // existing network connections // Reload the certificates on the keyloader and on success store the // updated TLS config. It is important to reuse the same keyloader // as this allows us to dynamically reload configurations not only // on the Agent but on the Server and Client too (they are // referencing the same keyloader). keyloader := current.TLSConfig.GetKeyLoader() _, err := keyloader.LoadKeyPair(newConfig.TLSConfig.CertFile, newConfig.TLSConfig.KeyFile) if err != nil { return err } current.TLSConfig = newConfig.TLSConfig current.TLSConfig.KeyLoader = keyloader a.config = current return nil } else if newConfig.TLSConfig.IsEmpty() && !current.TLSConfig.IsEmpty() { a.logger.Warn("downgrading agent's existing TLS configuration to plaintext") fullUpdateTLSConfig() } else if !newConfig.TLSConfig.IsEmpty() && current.TLSConfig.IsEmpty() { a.logger.Info("upgrading from plaintext configuration to TLS") fullUpdateTLSConfig() } // Set agent config to the updated config a.config = current return nil } // GetConfig returns the current agent configuration. The Config should *not* // be mutated directly. First call Config.Copy. func (a *Agent) GetConfig() *Config { a.configLock.Lock() defer a.configLock.Unlock() return a.config } // setupConsul creates the Consul client and starts its main Run loop. func (a *Agent) setupConsul(consulConfig *config.ConsulConfig) error { apiConf, err := consulConfig.ApiConfig() if err != nil { return err } consulClient, err := consulapi.NewClient(apiConf) if err != nil { return err } // Create Consul Catalog client for service discovery. a.consulCatalog = consulClient.Catalog() // Create Consul ConfigEntries client for managing Config Entries. a.consulConfigEntries = consulClient.ConfigEntries() // Create Consul ACL client for managing tokens. a.consulACLs = consulClient.ACL() // Create Consul Service client for service advertisement and checks. isClient := false if a.config.Client != nil && a.config.Client.Enabled { isClient = true } // Create Consul Agent client for looking info about the agent. consulAgentClient := consulClient.Agent() namespacesClient := consul.NewNamespacesClient(consulClient.Namespaces(), consulAgentClient) a.consulService = consul.NewServiceClient(consulAgentClient, namespacesClient, a.logger, isClient) a.consulProxies = consul.NewConnectProxiesClient(consulAgentClient) // Run the Consul service client's sync'ing main loop go a.consulService.Run() return nil } // noOpAuditor is a no-op Auditor that fulfills the // event.Auditor interface. type noOpAuditor struct{} // Ensure noOpAuditor is an Auditor var _ event.Auditor = &noOpAuditor{} func (e *noOpAuditor) Event(ctx context.Context, eventType string, payload interface{}) error { return nil } func (e *noOpAuditor) Enabled() bool { return false } func (e *noOpAuditor) Reopen() error { return nil } func (e *noOpAuditor) SetEnabled(enabled bool) {} func (e *noOpAuditor) DeliveryEnforced() bool { return false }