2014-02-08 00:41:03 +00:00
---
layout: "docs"
page_title: "Configuration"
sidebar_current: "docs-agent-config"
2014-10-19 23:40:10 +00:00
description: |-
2015-02-13 19:58:05 +00:00
The agent has various configuration options that can be specified via the command-line or via configuration files. All of the configuration options are completely optional. Defaults are specified with their descriptions.
2014-02-08 00:41:03 +00:00
---
# Configuration
The agent has various configuration options that can be specified via
the command-line or via configuration files. All of the configuration
2015-02-13 19:58:05 +00:00
options are completely optional. Defaults are specified with their
descriptions.
2014-02-08 00:41:03 +00:00
2014-02-18 23:30:07 +00:00
When loading configuration, Consul loads the configuration from files
2015-02-13 19:58:05 +00:00
and directories in lexical order. For example, configuration file `basic_config.json`
will be processed before `extra_config.js` . Configuration specified later
2014-02-08 00:41:03 +00:00
will be merged into configuration specified earlier. In most cases,
2015-02-13 19:58:05 +00:00
"merge" means that the later version will override the earlier. In
some cases, such as event handlers, merging appends the handlers to the
existing configuration. The exact merging behavior is specified for each
option below.
2014-02-08 00:41:03 +00:00
2015-02-13 19:58:05 +00:00
Consul also supports reloading configuration when it receives the
2014-02-08 00:41:03 +00:00
SIGHUP signal. Not all changes are respected, but those that are
2014-11-26 03:03:14 +00:00
are documented below in the
[Reloadable Configuration ](#reloadable-configuration ) section. The
[reload command ](/docs/commands/reload.html ) can also be used to trigger a
configuration reload.
2014-02-08 00:41:03 +00:00
## Command-line Options
The options below are all specified on the command-line.
2015-02-17 00:48:49 +00:00
* < a id = "advertise" ></ a > `-advertise` - The advertise address is used to change the address that we
2014-05-16 17:49:36 +00:00
advertise to other nodes in the cluster. By default, the `-bind` address is
advertised. However, in some cases, there may be a routable address that cannot
2015-02-13 19:58:05 +00:00
be bound. This flag enables gossiping a different address to support this.
If this address is not routable, the node will be in a constant flapping state
2014-05-16 17:49:36 +00:00
as other nodes will treat the non-routability as a failure.
2015-02-17 00:48:49 +00:00
* < a id = "bootstrap_anchor" ></ a > `-bootstrap` - This flag is used to control if a server is in "bootstrap" mode. It is important that
2015-02-13 19:58:05 +00:00
no more than one server *per* data center be running in this mode. Technically, a server in bootstrap mode
is allowed to self-elect as the Raft leader. It is important that only a single node is in this mode;
otherwise, consistency cannot be guaranteed as multiple nodes are able to self-elect.
2014-07-01 22:02:26 +00:00
It is not recommended to use this flag after a cluster has been bootstrapped.
2015-02-17 00:48:49 +00:00
* < a id = "bootstrap_expect" ></ a > `-bootstrap-expect` - This flag provides the number of expected servers in the data center.
2015-02-13 19:58:05 +00:00
Either this value should not be provided or the value must agree with other servers in
2014-07-01 22:02:26 +00:00
the cluster. When provided, Consul waits until the specified number of servers are
2015-02-13 19:58:05 +00:00
available and then bootstraps the cluster. This allows an initial leader to be elected
2014-07-01 22:02:26 +00:00
automatically. This cannot be used in conjunction with the `-bootstrap` flag.
2014-04-11 23:23:16 +00:00
2015-02-17 00:48:49 +00:00
* < a id = "bind" ></ a > `-bind` - The address that should be bound to for internal cluster communications.
2014-02-18 23:30:07 +00:00
This is an IP address that should be reachable by all other nodes in the cluster.
2015-02-13 19:58:05 +00:00
By default, this is "0.0.0.0", meaning Consul will use the first available private
2015-02-13 20:19:17 +00:00
IP address. Consul uses both TCP and UDP and the same port for both. If you
2015-02-13 19:58:05 +00:00
have any firewalls, be sure to allow both protocols.
2014-02-18 23:30:07 +00:00
2015-02-17 00:48:49 +00:00
* < a id = "client" ></ a > `-client` - The address to which Consul will bind client interfaces,
2015-02-13 19:58:05 +00:00
including the HTTP, DNS, and RPC servers. By default, this is "127.0.0.1",
2014-04-11 23:23:16 +00:00
allowing only loopback connections. The RPC address is used by other Consul
commands, such as `consul members` , in order to query a running Consul agent.
2014-02-08 00:41:03 +00:00
2015-02-17 00:48:49 +00:00
* < a id = "config_file" ></ a > `-config-file` - A configuration file to load. For more information on
2015-02-13 19:58:05 +00:00
the format of this file, read the [Configuration Files ](#configuration_files ) section.
2014-02-08 00:41:03 +00:00
This option can be specified multiple times to load multiple configuration
files. If it is specified multiple times, configuration files loaded later
2014-11-13 20:02:41 +00:00
will merge with configuration files loaded earlier. During a config merge,
2015-02-13 19:58:05 +00:00
single-value keys (string, int, bool) will simply have their values replaced
2014-11-13 20:02:41 +00:00
while list types will be appended together.
2014-02-08 00:41:03 +00:00
2015-02-17 00:48:49 +00:00
* < a id = "config_dir" ></ a > `-config-dir` - A directory of configuration files to load. Consul will
2015-02-13 20:19:17 +00:00
load all files in this directory with the suffix ".json". The load order
2015-02-17 00:48:49 +00:00
is alphabetical, and the the same merge routine is used as with the
[`config-file` ](config_file ) option above. For more information
on the format of the configuration files, see the [Configuration Files ](#configuration_files ) section.
2014-02-08 00:41:03 +00:00
2015-02-17 00:48:49 +00:00
* < a id = "data_dir" ></ a > `-data-dir` - This flag provides a data directory for the agent to store state.
2014-02-18 23:30:07 +00:00
This is required for all agents. The directory should be durable across reboots.
2015-02-13 19:58:05 +00:00
This is especially critical for agents that are running in server mode as they
must be able to persist cluster state. Additionally, the directory must support
2014-08-22 21:58:10 +00:00
the use of filesystem locking, meaning some types of mounted folders (e.g. VirtualBox
shared folders) may not be suitable.
2014-02-18 23:30:07 +00:00
2015-02-17 00:48:49 +00:00
* < a id = "dc" ></ a > `-dc` - This flag controls the data center in which the agent is running. If not provided,
2015-02-13 20:19:17 +00:00
it defaults to "dc1". Consul has first-class support for multiple data centers, but
2015-02-13 19:58:05 +00:00
it relies on proper configuration. Nodes in the same data center should be on a single
2014-02-18 23:30:07 +00:00
LAN.
2015-02-17 00:48:49 +00:00
* < a id = "encrypt" ></ a > `-encrypt` - Specifies the secret key to use for encryption of Consul
2015-02-13 20:19:17 +00:00
network traffic. This key must be 16-bytes that are Base64-encoded. The
2014-08-22 22:08:15 +00:00
easiest way to create an encryption key is to use `consul keygen` . All
nodes within a cluster must share the same encryption key to communicate.
2015-02-13 19:58:05 +00:00
The provided key is automatically persisted to the data directory and loaded
2014-10-04 21:10:57 +00:00
automatically whenever the agent is restarted. This means that to encrypt
Consul's gossip protocol, this option only needs to be provided once on each
agent's initial startup sequence. If it is provided after Consul has been
2014-10-09 22:28:38 +00:00
initialized with an encryption key, then the provided key is ignored and
a warning will be displayed.
2014-08-22 22:08:15 +00:00
2015-02-17 00:48:49 +00:00
* < a id = "join" ></ a > `-join` - Address of another agent to join upon starting up. This can be
2014-04-11 23:59:16 +00:00
specified multiple times to specify multiple agents to join. If Consul is
unable to join with any of the specified addresses, agent startup will
fail. By default, the agent won't join any nodes when it starts up.
2015-02-17 00:48:49 +00:00
* < a id = "retry_join" ></ a > `-retry-join` - Similar to [`-join` ](#join ) but allows retrying a join if the first
2014-10-12 19:31:47 +00:00
attempt fails. This is useful for cases where we know the address will become
available eventually.
2015-02-17 00:48:49 +00:00
* < a id = "retry_interval" ></ a > `-retry-interval` - Time to wait between join attempts. Defaults to 30s.
2014-10-12 19:31:47 +00:00
2015-02-17 00:48:49 +00:00
* < a id = "retry_max" ></ a > `-retry-max` - The maximum number of join attempts to be made before exiting
2015-02-13 19:58:05 +00:00
with return code 1. By default, this is set to 0 which is interpreted as infinite
retries.
2014-10-12 19:31:47 +00:00
2015-02-17 00:48:49 +00:00
* < a id = "join_wan" ></ a > `-join-wan` - Address of another wan agent to join upon starting up. This can be
2015-02-13 19:58:05 +00:00
specified multiple times to specify multiple WAN agents to join. If Consul is
2014-11-14 15:02:42 +00:00
unable to join with any of the specified addresses, agent startup will
2015-02-17 00:48:49 +00:00
fail. By default, the agent won't [`-join-wan` ](#join_wan ) any nodes when it starts up.
2014-11-14 15:02:42 +00:00
2015-02-17 00:48:49 +00:00
* < a id = "retry_join_wan" ></ a > `-retry-join-wan` - Similar to [`retry-join` ](#retry_join ) but allows retrying
a wan join if the first attempt fails. This is useful for cases where we know the address will become
2014-11-14 15:02:42 +00:00
available eventually.
2015-02-17 00:48:49 +00:00
* < a id = "retry_interval_wan" ></ a > `-retry-interval-wan` - Time to wait between [`-join-wan` ](#join_wan ) attempts.
Defaults to 30s.
2014-11-14 15:02:42 +00:00
2015-02-17 00:48:49 +00:00
* < a id = "retry_max_wan" ></ a > `-retry-max-wan` - The maximum number of [`-join-wan` ](#join_wan ) attempts to
be made before exiting with return code 1. By default, this is set to 0 which is interpreted as infinite
2015-02-13 19:58:05 +00:00
retries.
2014-11-14 15:02:42 +00:00
2015-02-17 00:48:49 +00:00
* < a id = "log_level" ></ a > `-log-level` - The level of logging to show after the Consul agent has
2014-04-11 23:23:16 +00:00
started. This defaults to "info". The available log levels are "trace",
2015-02-13 19:58:05 +00:00
"debug", "info", "warn", and "err". Note that you can always connect to an
agent via `consul monitor` and use any log level. Also, the log level can
be changed during a config reload.
2014-02-18 23:30:07 +00:00
2015-02-17 00:48:49 +00:00
* < a id = "node" ></ a > `-node` - The name of this node in the cluster. This must be unique within
2014-04-11 23:23:16 +00:00
the cluster. By default this is the hostname of the machine.
2014-02-18 23:30:07 +00:00
2015-02-17 00:48:49 +00:00
* < a id = "protocol" ></ a > `-protocol` - The Consul protocol version to use. This defaults to the latest
2014-04-11 23:23:16 +00:00
version. This should be set only when [upgrading ](/docs/upgrading.html ).
2014-04-25 14:09:17 +00:00
You can view the protocol versions supported by Consul by running `consul -v` .
2014-02-18 23:30:07 +00:00
2015-02-17 00:48:49 +00:00
* < a id = "rejoin" ></ a > `-rejoin` - When provided, Consul will ignore a previous leave and attempt to
2014-05-21 19:32:24 +00:00
rejoin the cluster when starting. By default, Consul treats leave as a permanent
2015-02-13 19:58:05 +00:00
intent and does not attempt to join the cluster again when starting. This flag
2014-05-21 19:32:24 +00:00
allows the previous state to be used to rejoin the cluster.
2015-02-17 00:48:49 +00:00
* < a id = "server" ></ a > `-server` - This flag is used to control if an agent is in server or client mode. When provided,
2015-02-13 19:58:05 +00:00
an agent will act as a Consul server. Each Consul cluster must have at least one server and ideally
no more than 5 per data center. All servers participate in the Raft consensus algorithm to ensure that
2014-04-30 19:26:07 +00:00
transactions occur in a consistent, linearizable manner. Transactions modify cluster state, which
2014-02-18 23:30:07 +00:00
is maintained on all server nodes to ensure availability in the case of node failure. Server nodes also
2015-02-13 19:58:05 +00:00
participate in a WAN gossip pool with server nodes in other data centers. Servers act as gateways
to other data centers and forward traffic as appropriate.
2014-02-18 23:30:07 +00:00
2015-02-17 00:48:49 +00:00
* < a id = "syslog" ></ a > `-syslog` - This flag enables logging to syslog. This is only supported on Linux
2014-05-21 19:06:03 +00:00
and OSX. It will result in an error if provided on Windows.
2015-02-17 00:48:49 +00:00
* < a id = "ui_dir" ></ a > `-ui-dir` - This flag provides the directory containing the Web UI resources
2015-02-13 19:58:05 +00:00
for Consul. This must be provided to enable the Web UI. The directory must be readable.
2014-04-23 19:40:11 +00:00
2015-02-17 00:48:49 +00:00
* < a id = "pid_file" ></ a > `-pid-file` - This flag provides the file path for the agent to store its PID. This is useful for
2015-02-13 19:58:05 +00:00
sending signals (for example, `SIGINT` to close the agent or `SIGHUP` to update check definitions) to the agent.
2014-05-06 03:34:40 +00:00
2015-02-17 00:48:49 +00:00
## <a id="configuration_files"></a>Configuration Files
2014-02-08 00:41:03 +00:00
In addition to the command-line options, configuration can be put into
2014-02-19 01:33:44 +00:00
files. This may be easier in certain situations, for example when Consul is
2014-02-08 00:41:03 +00:00
being configured using a configuration management system.
The configuration files are JSON formatted, making them easily readable
and editable by both humans and computers. The configuration is formatted
2014-12-28 04:53:19 +00:00
as a single JSON object with configuration within it.
2014-02-08 00:41:03 +00:00
2014-02-18 23:30:07 +00:00
Configuration files are used for more than just setting up the agent,
they are also used to provide check and service definitions. These are used
to announce the availability of system servers to the rest of the cluster.
2014-11-05 04:01:45 +00:00
They are documented separately under [check configuration ](/docs/agent/checks.html ) and
2014-02-23 02:53:31 +00:00
[service configuration ](/docs/agent/services.html ) respectively. The service and check
definitions support being updated during a reload.
2014-02-18 23:30:07 +00:00
2014-02-08 00:41:03 +00:00
#### Example Configuration File
2014-10-18 22:43:42 +00:00
```javascript
2014-02-08 00:41:03 +00:00
{
2015-02-13 20:19:17 +00:00
"datacenter": "east-aws",
2014-02-18 23:30:07 +00:00
"data_dir": "/opt/consul",
"log_level": "INFO",
"node_name": "foobar",
2014-08-22 00:25:42 +00:00
"server": true,
"watches": [
{
"type": "checks",
"handler": "/usr/bin/health-check-handler.sh"
}
]
2014-02-08 00:41:03 +00:00
}
2014-10-18 22:43:42 +00:00
```
2014-02-08 00:41:03 +00:00
#### Configuration Key Reference
2015-02-13 20:19:17 +00:00
* `acl_datacenter` - Only used by servers. This designates the data center which
2014-08-31 02:03:01 +00:00
is authoritative for ACL information. It must be provided to enable ACLs.
2015-02-13 19:58:05 +00:00
All servers and data centers must agree on the ACL data center. Setting it on
2015-02-15 05:47:52 +00:00
the servers is all you need for enforcement, but for the APIs to forward properly
2015-02-15 05:43:01 +00:00
from the clients, it must be set on them too. Future changes may move
enforcement to the edges, so it's best to just set `acl_datacenter` on all nodes.
2014-02-08 00:41:03 +00:00
2015-02-15 05:43:01 +00:00
* `acl_default_policy` - Either "allow" or "deny"; defaults to "allow". The
2014-08-31 02:03:01 +00:00
default policy controls the behavior of a token when there is no matching
rule. In "allow" mode, ACLs are a blacklist: any operation not specifically
2014-11-05 04:01:45 +00:00
prohibited is allowed. In "deny" mode, ACLs are a whitelist: any operation not
2014-08-31 02:03:01 +00:00
specifically allowed is blocked.
2014-02-08 00:41:03 +00:00
2015-02-15 05:43:01 +00:00
* `acl_down_policy` - Either "allow", "deny" or "extend-cache"; "extend-cache" is the
2014-08-31 02:03:01 +00:00
default. In the case that the policy for a token cannot be read from the
2015-02-13 20:19:17 +00:00
`acl_datacenter` or leader node, the down policy is applied. In "allow" mode,
2014-08-31 02:03:01 +00:00
all actions are permitted, "deny" restricts all operations, and "extend-cache"
allows any cached ACLs to be used, ignoring their TTL values. If a non-cached
ACL is used, "extend-cache" acts like "deny".
2014-02-08 00:41:03 +00:00
2015-02-13 20:19:17 +00:00
* `acl_master_token` - Only used for servers in the `acl_datacenter` . This token
2015-02-15 05:43:01 +00:00
will be created with management-level permissions if it does not exist. It allows
2014-08-31 02:03:01 +00:00
operators to bootstrap the ACL system with a token ID that is well-known.
2014-02-08 00:41:03 +00:00
2014-08-31 02:03:01 +00:00
* `acl_token` - When provided, the agent will use this token when making requests
to the Consul servers. Clients can override this token on a per-request basis
2015-02-15 05:43:01 +00:00
by providing the "?token" query parameter. When not provided, the empty token, which
maps to the 'anonymous' ACL policy, is used.
2014-02-08 00:41:03 +00:00
2015-02-15 05:43:01 +00:00
* `acl_ttl` - Used to control Time-To-Live caching of ACLs. By default, this
2014-08-31 02:03:01 +00:00
is 30 seconds. This setting has a major performance impact: reducing it will
2015-02-15 05:43:01 +00:00
cause more frequent refreshes while increasing it reduces the number of caches.
2014-08-31 02:03:01 +00:00
However, because the caches are not actively invalidated, ACL policy may be stale
up to the TTL value.
2014-04-23 19:40:11 +00:00
2015-01-16 21:06:49 +00:00
* `addresses` - This is a nested object that allows setting bind addresses.
< br > < br >
Both `rpc` and `http` support binding to Unix domain sockets. A socket can be
specified in the form `unix:///path/to/socket` . A new domain socket will be
created at the given path. If the specified file path already exists, Consul
2015-01-21 00:29:22 +00:00
will attempt to clear the file and create the domain socket in its place.
< br > < br >
The permissions of the socket file are tunable via the `unix_sockets` config
construct.
2015-01-16 21:06:49 +00:00
< br > < br >
2015-01-16 17:14:52 +00:00
When running Consul agent commands against Unix socket interfaces, use the
`-rpc-addr` or `-http-addr` arguments to specify the path to the socket. You
can also place the desired values in `CONSUL_RPC_ADDR` and `CONSUL_HTTP_ADDR`
environment variables. For TCP addresses, these should be in the form ip:port.
2015-01-16 21:06:49 +00:00
< br > < br >
2015-01-16 17:14:52 +00:00
The following keys are valid:
2015-01-16 21:06:49 +00:00
* `dns` - The DNS server. Defaults to `client_addr`
* `http` - The HTTP API. Defaults to `client_addr`
* `rpc` - The RPC endpoint. Defaults to `client_addr`
2014-09-02 19:49:52 +00:00
2015-02-17 00:48:49 +00:00
* `advertise_addr` - Equivalent to the [`-advertise` command-line flag ](#advertise ).
2014-02-18 23:30:07 +00:00
2015-02-17 00:48:49 +00:00
* `bootstrap` - Equivalent to the [`-bootstrap` command-line flag ](#bootstrap_anchor ).
2014-05-21 19:06:03 +00:00
2015-02-17 00:48:49 +00:00
* `bootstrap_expect` - Equivalent to the [`-bootstrap-expect` command-line flag ](#bootstrap_expect ).
2014-08-31 02:03:01 +00:00
2015-02-17 00:48:49 +00:00
* `bind_addr` - Equivalent to the [`-bind` command-line flag ](#bind ).
2014-05-21 19:32:24 +00:00
2015-02-17 00:48:49 +00:00
* < a id = "ca_file" ></ a > `ca_file` - This provides a file path to a PEM-encoded certificate authority.
2014-04-11 23:23:16 +00:00
The certificate authority is used to check the authenticity of client and server
2015-02-17 00:48:49 +00:00
connections with the appropriate [`verify_incoming` ](#verify_incoming ) or
[`verify_outgoing` ](#verify_outgoing ) flags.
2014-02-08 00:41:03 +00:00
2015-02-17 00:48:49 +00:00
* < a id = "cert_file" ></ a > `cert_file` - This provides a file path to a PEM-encoded certificate.
2015-02-15 05:43:01 +00:00
The certificate is provided to clients or servers to verify the agent's authenticity.
It must be provided along with `key_file` .
2014-02-08 00:41:03 +00:00
2014-06-09 19:51:12 +00:00
* `check_update_interval` - This interval controls how often check output from
2014-11-05 04:01:45 +00:00
checks in a steady state is synchronized with the server. By default, this is
2014-06-09 19:51:12 +00:00
set to 5 minutes ("5m"). Many checks which are in a steady state produce
slightly different output per run (timestamps, etc) which cause constant writes.
2014-11-05 04:01:45 +00:00
This configuration allows deferring the sync of check output for a given interval to
2014-06-09 19:51:12 +00:00
reduce write pressure. If a check ever changes state, the new state and associated
2014-11-05 04:01:45 +00:00
output is synchronized immediately. To disable this behavior, set the value to "0s".
2014-06-09 19:51:12 +00:00
2015-02-17 00:48:49 +00:00
* `client_addr` - Equivalent to the [`-client` command-line flag ](#client ).
2014-08-31 02:03:01 +00:00
2015-02-17 00:48:49 +00:00
* `datacenter` - Equivalent to the [`-dc` command-line flag ](#dc ).
2014-08-31 02:03:01 +00:00
2015-02-17 00:48:49 +00:00
* `data_dir` - Equivalent to the [`-data-dir` command-line flag ](#data_dir ).
2014-02-08 00:41:03 +00:00
2014-09-02 21:36:25 +00:00
* `disable_anonymous_signature` - Disables providing an anonymous signature for
2015-02-17 00:48:49 +00:00
de-duplication with the update check. See [`disable_update_check` ](#disable_update_check ).
2014-09-02 21:36:25 +00:00
2014-09-01 22:03:37 +00:00
* `disable_remote_exec` - Disables support for remote execution. When set to true,
the agent will ignore any incoming remote exec requests.
2015-02-17 00:48:49 +00:00
* < a id = "disable_update_check" ></ a > `disable_update_check` - Disables automatic checking for security bulletins and
2014-09-02 21:36:25 +00:00
new version releases.
2014-06-09 00:26:41 +00:00
* `dns_config` - This object allows a number of sub-keys to be set which can tune
2015-02-15 05:43:01 +00:00
how DNS queries are serviced. See this guide on [DNS caching ](/docs/guides/dns-cache.html )
for more detail.
< br > < br >
2014-06-09 00:26:41 +00:00
The following sub-keys are available:
* `allow_stale` - Enables a stale query for DNS information. This allows any Consul
2015-02-15 05:43:01 +00:00
server, rather than only the leader, to service the request. The advantage of this is
2014-06-09 00:26:41 +00:00
you get linear read scalability with Consul servers. By default, this is false, meaning
2015-02-15 05:43:01 +00:00
all requests are serviced by the leader, providing stronger consistency but
less throughput and higher latency.
2014-06-09 00:26:41 +00:00
* `max_stale` - When `allow_stale` is specified, this is used to limit how
2015-02-15 05:43:01 +00:00
stale results are allowed to be. By default, this is set to "5s":
2014-06-09 00:26:41 +00:00
if a Consul server is more than 5 seconds behind the leader, the query will be
re-evaluated on the leader to get more up-to-date results.
2015-02-15 05:43:01 +00:00
* `node_ttl` - By default, this is "0s", so all node lookups are served with
a 0 TTL value. DNS caching for node lookups can be enabled by setting this value. This
2015-02-15 05:47:52 +00:00
should be specified with the "s" suffix for second or "m" for minute.
2014-08-31 02:03:01 +00:00
2015-02-15 05:43:01 +00:00
* `service_ttl` - This is a sub-object which allows for setting a TTL on service lookups
with a per-service policy. The "*" wildcard service can be used when
2014-08-31 02:03:01 +00:00
there is no specific policy available for a service. By default, all services are served
2015-02-15 05:43:01 +00:00
with a 0 TTL value. DNS caching for service lookups can be enabled by setting this value.
2014-08-31 02:03:01 +00:00
2014-09-30 19:31:28 +00:00
* `enable_truncate` - If set to true, a UDP DNS query that would return more than 3 records
will set the truncated flag, indicating to clients that they should re-query using TCP to
get the full set of records.
2015-01-10 12:11:32 +00:00
* `only_passing` - If set to true, any nodes whose healthchecks are not passing will be
excluded from DNS results. By default (or if set to false), only nodes whose healthchecks
are failing as critical will be excluded.
2014-08-31 02:03:01 +00:00
* `domain` - By default, Consul responds to DNS queries in the "consul." domain.
This flag can be used to change that domain. All queries in this domain are assumed
2015-02-15 05:43:01 +00:00
to be handled by Consul and will not be recursively resolved.
2014-08-31 02:03:01 +00:00
2014-04-11 23:23:16 +00:00
* `enable_debug` - When set, enables some additional debugging features. Currently,
2015-02-15 05:43:01 +00:00
this is only used to set the runtime profiling HTTP endpoints.
2014-04-11 23:23:16 +00:00
2015-02-17 00:48:49 +00:00
* < a id = "enable_syslog" ></ a > `enable_syslog` - Equivalent to the [`-syslog` command-line flag ](#syslog ).
2014-08-31 02:03:01 +00:00
2015-02-17 00:48:49 +00:00
* `encrypt` - Equivalent to the [`-encrypt` command-line flag ](#encrypt ).
2014-04-11 23:23:16 +00:00
2015-02-15 05:43:01 +00:00
* `key_file` - This provides a the file path to a PEM-encoded private key.
The key is used with the certificate to verify the agent's authenticity.
2015-02-17 00:48:49 +00:00
This must be provided along with [`cert_file` ](#cert_file ).
2014-02-08 00:41:03 +00:00
2015-02-15 05:43:01 +00:00
* `http_api_response_headers` - This object allows adding headers to the HTTP API
responses. For example, the following config can be used to enable
[CORS ](http://en.wikipedia.org/wiki/Cross-origin_resource_sharing ) on
2014-12-28 04:53:19 +00:00
the HTTP API endpoints:
```javascript
{
"http_api_response_headers": {
"Access-Control-Allow-Origin": "*"
}
}
```
2015-02-17 00:48:49 +00:00
* < a id = "leave_on_terminate" ></ a > `leave_on_terminate` - If enabled, when the agent receives a TERM signal,
2015-02-15 05:43:01 +00:00
it will send a `Leave` message to the rest of the cluster and gracefully
2014-02-08 00:41:03 +00:00
leave. Defaults to false.
2015-02-17 00:48:49 +00:00
* `log_level` - Equivalent to the [`-log-level` command-line flag ](#log_level ).
2014-08-31 02:03:01 +00:00
2015-02-17 00:48:49 +00:00
* `node_name` - Equivalent to the [`-node` command-line flag ](#node ).
2014-08-31 02:03:01 +00:00
2014-04-11 23:31:33 +00:00
* `ports` - This is a nested object that allows setting the bind ports
for the following keys:
2014-06-09 00:26:41 +00:00
* `dns` - The DNS server, -1 to disable. Default 8600.
2015-01-04 11:57:48 +00:00
* `http` - The HTTP API, -1 to disable. Default 8500.
* `https` - The HTTPS API, -1 to disable. Default -1 (disabled).
2014-06-09 00:26:41 +00:00
* `rpc` - The RPC endpoint. Default 8400.
* `serf_lan` - The Serf LAN port. Default 8301.
* `serf_wan` - The Serf WAN port. Default 8302.
* `server` - Server RPC address. Default 8300.
2014-04-11 23:31:33 +00:00
2015-02-17 00:48:49 +00:00
* `protocol` - Equivalent to the [`-protocol` command-line flag ](#protocol ).
2014-08-31 02:03:01 +00:00
2014-11-03 19:28:21 +00:00
* `recursor` - Provides a single recursor address. This has been deprecated, and
2015-02-17 00:48:49 +00:00
the value is appended to the [`recursors` ](#recursors ) list for backwards compatibility.
2014-11-03 19:28:21 +00:00
2015-02-17 00:48:49 +00:00
* < a id = "recursors" ></ a > `recursors` - This flag provides addresses of upstream DNS servers that are used to
2014-04-11 23:23:16 +00:00
recursively resolve queries if they are not inside the service domain for consul. For example,
a node can use Consul directly as a DNS server, and if the record is outside of the "consul." domain,
2015-02-15 05:43:01 +00:00
the query will be resolved upstream.
2014-04-11 23:23:16 +00:00
2015-02-17 00:48:49 +00:00
* `rejoin_after_leave` - Equivalent to the [`-rejoin` command-line flag ](#rejoin ).
2014-08-31 02:03:01 +00:00
2015-02-17 00:48:49 +00:00
* `retry_join` - Equivalent to the [`-retry-join` command-line flag ](#retry_join ). Takes a list
2014-10-23 23:39:23 +00:00
of addresses to attempt joining every `retry_interval` until at least one
2015-02-17 00:48:49 +00:00
[`-join` ](#join ) works.
2014-10-23 23:39:23 +00:00
2015-02-17 00:48:49 +00:00
* `retry_interval` - Equivalent to the [`-retry-interval` command-line flag ](#retry_interval ).
2014-10-23 23:39:23 +00:00
2015-02-17 00:48:49 +00:00
* `retry_join_wan` - Equivalent to the [`-retry-join-wan` command-line flag ](#retry_join_wan ). Takes a list
of addresses to attempt joining to WAN every [`retry_interval_wan` ](#retry_interval_wan ) until at least one
[`-join-wan` ](#join_wan ) works.
2014-11-14 15:02:42 +00:00
2015-02-17 00:48:49 +00:00
* `retry_interval_wan` - Equivalent to the [`-retry-interval-wan` command-line flag ](#retry_interval_wan ).
2014-11-14 15:02:42 +00:00
2015-02-17 00:48:49 +00:00
* `server` - Equivalent to the [`-server` command-line flag ](#server ).
2014-08-31 02:03:01 +00:00
2015-02-15 05:43:01 +00:00
* `server_name` - When provided, this overrides the `node_name` for the TLS certificate.
2014-08-31 02:03:01 +00:00
It can be used to ensure that the certificate name matches the hostname we
declare.
2015-02-17 00:48:49 +00:00
* `skip_leave_on_interrupt` - This is similar to [`leave_on_terminate` ](#leave_on_terminate ) but
2015-02-15 05:43:01 +00:00
only affects interrupt handling. By default, an interrupt (such as hitting
Control-C in a shell) causes Consul to gracefully leave. Setting this to true
disables that. Defaults to false.
2014-02-08 00:41:03 +00:00
2014-04-11 23:59:16 +00:00
* `start_join` - An array of strings specifying addresses of nodes to
join upon startup.
2014-11-17 22:14:59 +00:00
* `start_join_wan` - An array of strings specifying addresses of WAN nodes to
2015-02-17 00:48:49 +00:00
[`-join-wan` ](#join_wan ) upon startup.
2014-11-14 15:02:42 +00:00
2015-02-15 05:43:01 +00:00
* `statsd_addr` - This provides the address of a statsd instance. If provided,
2014-09-02 18:26:08 +00:00
Consul will send various telemetry information to that instance for aggregation.
2015-02-15 05:43:01 +00:00
This can be used to capture runtime information. This sends UDP packets
only and can be used with statsd or statsite.
2014-09-02 18:26:08 +00:00
2015-02-15 05:43:01 +00:00
* `statsite_addr` - This provides the address of a statsite instance. If provided,
2014-04-11 23:23:16 +00:00
Consul will stream various telemetry information to that instance for aggregation.
2015-02-15 05:43:01 +00:00
This can be used to capture runtime information. This streams via
2014-09-02 18:26:08 +00:00
TCP and can only be used with statsite.
2014-02-20 22:59:54 +00:00
2015-02-17 00:48:49 +00:00
* `syslog_facility` - When [`enable_syslog` ](#enable_syslog ) is provided, this controls to which
2015-02-15 05:43:01 +00:00
facility messages are sent. By default, `LOCAL0` will be used.
2014-06-11 17:18:19 +00:00
2015-02-17 00:48:49 +00:00
* `ui_dir` - Equivalent to the [`-ui-dir` ](#ui_dir ) command-line flag.
2014-08-31 02:03:01 +00:00
2015-01-21 00:29:22 +00:00
* `unix_sockets` - This allows tuning the ownership and permissions of the
Unix domain socket files created by Consul. Domain sockets are only used if
the HTTP or RPC addresses are configured with the `unix://` prefix. The
2015-02-15 05:43:01 +00:00
following options are valid within this construct and apply globally to all
2015-01-21 00:29:22 +00:00
sockets created by Consul:
< br >
* `user` - The name or ID of the user who will own the socket file.
* `group` - The group ID ownership of the socket file. Note that this option
2015-02-15 05:43:01 +00:00
currently only supports numeric IDs.
2015-01-21 00:29:22 +00:00
* `mode` - The permission bits to set on the file.
2015-01-21 03:16:12 +00:00
< br >
It is important to note that this option may have different effects on
2015-02-15 05:43:01 +00:00
different operating systems. Linux generally observes socket file permissions
2015-01-21 03:16:12 +00:00
while many BSD variants ignore permissions on the socket file itself. It is
important to test this feature on your specific distribution. This feature is
currently not functional on Windows hosts.
2015-01-21 00:29:22 +00:00
2015-02-17 00:48:49 +00:00
* < a id = "verify_incoming" ></ a > `verify_incoming` - If set to true, Consul requires that all incoming
2015-02-15 05:43:01 +00:00
connections make use of TLS and that the client provides a certificate signed
2015-02-17 00:48:49 +00:00
by the Certificate Authority from the [`ca_file` ](#ca_file ). By default, this is false, and
2014-04-07 21:46:13 +00:00
Consul will not enforce the use of TLS or verify a client's authenticity. This
2015-02-15 05:43:01 +00:00
only applies to Consul servers since a client never has an incoming connection.
2014-04-07 21:46:13 +00:00
2015-02-17 00:48:49 +00:00
* < a id = "verify_outgoing" ></ a > `verify_outgoing` - If set to true, Consul requires that all outgoing connections
2015-02-15 05:43:01 +00:00
make use of TLS and that the server provides a certificate that is signed by
2015-02-17 00:48:49 +00:00
the Certificate Authority from the [`ca_file` ](#ca_file ). By default, this is false, and Consul
2015-02-15 05:43:01 +00:00
will not make use of TLS for outgoing connections. This applies to clients and servers
2014-04-07 21:46:13 +00:00
as both will make outgoing connections.
2014-08-04 00:51:43 +00:00
2015-02-15 05:43:01 +00:00
* `watches` - Watches is a list of watch specifications which allow an external process
to be automatically invoked when a particular data view is updated. See the
[watch documentation ](/docs/agent/watches.html ) for more detail. Watches can be
modified when the configuration is reloaded.
2014-08-22 00:25:42 +00:00
2014-08-04 00:51:43 +00:00
## Ports Used
2015-02-15 05:47:52 +00:00
Consul requires up to 5 different ports to work properly, some on
2014-08-05 17:46:52 +00:00
TCP, UDP, or both protocols. Below we document the requirements for each
port.
2014-08-04 00:52:36 +00:00
2014-08-05 17:46:52 +00:00
* Server RPC (Default 8300). This is used by servers to handle incoming
requests from other agents. TCP only.
2014-08-04 00:52:36 +00:00
2014-08-05 17:46:52 +00:00
* Serf LAN (Default 8301). This is used to handle gossip in the LAN.
2015-02-15 05:47:52 +00:00
Required by all agents. TCP and UDP.
2014-08-04 00:52:36 +00:00
2014-11-05 04:01:45 +00:00
* Serf WAN (Default 8302). This is used by servers to gossip over the
2014-08-05 17:46:52 +00:00
WAN to other servers. TCP and UDP.
2014-08-04 00:52:36 +00:00
2014-08-05 17:46:52 +00:00
* CLI RPC (Default 8400). This is used by all agents to handle RPC
from the CLI. TCP only.
* HTTP API (Default 8500). This is used by clients to talk to the HTTP
API. TCP only.
* DNS Interface (Default 8600). Used to resolve DNS queries. TCP and UDP.
2014-08-04 00:52:36 +00:00
2015-02-17 00:48:49 +00:00
## <a id="reloadable-configuration"></a>Reloadable Configuration</a>
2014-11-26 03:03:14 +00:00
Reloading configuration does not reload all configuration items. The
items which are reloaded include:
* Log level
* Checks
* Services
* Watches
* HTTP Client Address