Website: edits for configuration file options in docs/agent/options.

This commit is contained in:
Ryan Breen 2015-02-15 00:43:01 -05:00
parent 412b89abdf
commit 0c22eb0039

View File

@ -205,19 +205,17 @@ definitions support being updated during a reload.
* `acl_datacenter` - Only used by servers. This designates the data center which * `acl_datacenter` - Only used by servers. This designates the data center which
is authoritative for ACL information. It must be provided to enable ACLs. is authoritative for ACL information. It must be provided to enable ACLs.
All servers and data centers must agree on the ACL data center. Setting it on All servers and data centers must agree on the ACL data center. Setting it on
the servers is all you need for enforcement, but for the APIs to work on the the servers is all you need for enforcement, but for the APIs to forwarding properly
clients, it must be set on them too (to forward properly). Also, if we want from the clients, it must be set on them too. Future changes may move
to enhance the ACL support for other features like service discovery, enforcement to the edges, so it's best to just set `acl_datacenter` on all nodes.
enforcement might move to the edges, so it's best to just set the
`acl_datacenter` on all the nodes.
* `acl_default_policy` - Either "allow" or "deny", defaults to "allow". The * `acl_default_policy` - Either "allow" or "deny"; defaults to "allow". The
default policy controls the behavior of a token when there is no matching default policy controls the behavior of a token when there is no matching
rule. In "allow" mode, ACLs are a blacklist: any operation not specifically rule. In "allow" mode, ACLs are a blacklist: any operation not specifically
prohibited is allowed. In "deny" mode, ACLs are a whitelist: any operation not prohibited is allowed. In "deny" mode, ACLs are a whitelist: any operation not
specifically allowed is blocked. specifically allowed is blocked.
* `acl_down_policy` - Either "allow", "deny" or "extend-cache" which is the * `acl_down_policy` - Either "allow", "deny" or "extend-cache"; "extend-cache" is the
default. In the case that the policy for a token cannot be read from the default. In the case that the policy for a token cannot be read from the
`acl_datacenter` or leader node, the down policy is applied. In "allow" mode, `acl_datacenter` or leader node, the down policy is applied. In "allow" mode,
all actions are permitted, "deny" restricts all operations, and "extend-cache" all actions are permitted, "deny" restricts all operations, and "extend-cache"
@ -225,18 +223,17 @@ definitions support being updated during a reload.
ACL is used, "extend-cache" acts like "deny". ACL is used, "extend-cache" acts like "deny".
* `acl_master_token` - Only used for servers in the `acl_datacenter`. This token * `acl_master_token` - Only used for servers in the `acl_datacenter`. This token
will be created if it does not exist with management level permissions. It allows will be created with management-level permissions if it does not exist. It allows
operators to bootstrap the ACL system with a token ID that is well-known. operators to bootstrap the ACL system with a token ID that is well-known.
* `acl_token` - When provided, the agent will use this token when making requests * `acl_token` - When provided, the agent will use this token when making requests
to the Consul servers. Clients can override this token on a per-request basis to the Consul servers. Clients can override this token on a per-request basis
by providing the ?token parameter. When not provided, the empty token is used by providing the "?token" query parameter. When not provided, the empty token, which
which maps to the 'anonymous' ACL policy. maps to the 'anonymous' ACL policy, is used.
* `acl_ttl` - Used to control Time-To-Live caching of ACLs. By default, this
* `acl_ttl` - Used to control Time-To-Live caching of ACLs. By default this
is 30 seconds. This setting has a major performance impact: reducing it will is 30 seconds. This setting has a major performance impact: reducing it will
cause more frequent refreshes, while increasing it reduces the number of caches. cause more frequent refreshes while increasing it reduces the number of caches.
However, because the caches are not actively invalidated, ACL policy may be stale However, because the caches are not actively invalidated, ACL policy may be stale
up to the TTL value. up to the TTL value.
@ -268,13 +265,13 @@ definitions support being updated during a reload.
* `bind_addr` - Equivalent to the `-bind` command-line flag. * `bind_addr` - Equivalent to the `-bind` command-line flag.
* `ca_file` - This provides a the file path to a PEM encoded certificate authority. * `ca_file` - This provides a file path to a PEM-encoded certificate authority.
The certificate authority is used to check the authenticity of client and server The certificate authority is used to check the authenticity of client and server
connections with the appropriate `verify_incoming` or `verify_outgoing` flags. connections with the appropriate `verify_incoming` or `verify_outgoing` flags.
* `cert_file` - This provides a the file path to a PEM encoded certificate. * `cert_file` - This provides a file path to a PEM-encoded certificate.
The certificate is provided to clients or servers to verify the agents authenticity. The certificate is provided to clients or servers to verify the agent's authenticity.
Must be provided along with the `key_file`. It must be provided along with `key_file`.
* `check_update_interval` - This interval controls how often check output from * `check_update_interval` - This interval controls how often check output from
checks in a steady state is synchronized with the server. By default, this is checks in a steady state is synchronized with the server. By default, this is
@ -300,28 +297,30 @@ definitions support being updated during a reload.
new version releases. new version releases.
* `dns_config` - This object allows a number of sub-keys to be set which can tune * `dns_config` - This object allows a number of sub-keys to be set which can tune
how DNS queries are performed. See this guide on [DNS caching](/docs/guides/dns-cache.html). how DNS queries are serviced. See this guide on [DNS caching](/docs/guides/dns-cache.html)
for more detail.
<br><br>
The following sub-keys are available: The following sub-keys are available:
* `allow_stale` - Enables a stale query for DNS information. This allows any Consul * `allow_stale` - Enables a stale query for DNS information. This allows any Consul
server to service the request, instead of only the leader. The advantage of this is server, rather than only the leader, to service the request. The advantage of this is
you get linear read scalability with Consul servers. By default, this is false, meaning you get linear read scalability with Consul servers. By default, this is false, meaning
all requests are serviced by the leader. This provides stronger consistency but all requests are serviced by the leader, providing stronger consistency but
with less throughput and higher latency. less throughput and higher latency.
* `max_stale` - When `allow_stale` is specified, this is used to limit how * `max_stale` - When `allow_stale` is specified, this is used to limit how
stale of a result will be used. By default, this is set to "5s", which means stale results are allowed to be. By default, this is set to "5s":
if a Consul server is more than 5 seconds behind the leader, the query will be if a Consul server is more than 5 seconds behind the leader, the query will be
re-evaluated on the leader to get more up-to-date results. re-evaluated on the leader to get more up-to-date results.
* `node_ttl` - By default, this is "0s", which means all node lookups are served with * `node_ttl` - By default, this is "0s", so all node lookups are served with
a 0 TTL value. This can be set to allow node lookups to set a TTL value, which enables a 0 TTL value. DNS caching for node lookups can be enabled by setting this value. This
DNS caching. This should be specified with the "s" suffix for second, or "m" for minute. should be specified with the "s" suffix for second, or "m" for minute.
* `service_ttl` - This is a sub-object, which allows for setting a TTL on service lookups * `service_ttl` - This is a sub-object which allows for setting a TTL on service lookups
with a per-service policy. The "*" wildcard service can be specified and is used when with a per-service policy. The "*" wildcard service can be used when
there is no specific policy available for a service. By default, all services are served there is no specific policy available for a service. By default, all services are served
with a 0 TTL value. Setting this enables DNS caching. with a 0 TTL value. DNS caching for service lookups can be enabled by setting this value.
* `enable_truncate` - If set to true, a UDP DNS query that would return more than 3 records * `enable_truncate` - If set to true, a UDP DNS query that would return more than 3 records
will set the truncated flag, indicating to clients that they should re-query using TCP to will set the truncated flag, indicating to clients that they should re-query using TCP to
@ -333,21 +332,22 @@ definitions support being updated during a reload.
* `domain` - By default, Consul responds to DNS queries in the "consul." domain. * `domain` - By default, Consul responds to DNS queries in the "consul." domain.
This flag can be used to change that domain. All queries in this domain are assumed This flag can be used to change that domain. All queries in this domain are assumed
to be handled by Consul, and will not be recursively resolved. to be handled by Consul and will not be recursively resolved.
* `enable_debug` - When set, enables some additional debugging features. Currently, * `enable_debug` - When set, enables some additional debugging features. Currently,
only used to set the runtime profiling HTTP endpoints. this is only used to set the runtime profiling HTTP endpoints.
* `enable_syslog` - Equivalent to the `-syslog` command-line flag. * `enable_syslog` - Equivalent to the `-syslog` command-line flag.
* `encrypt` - Equivalent to the `-encrypt` command-line flag. * `encrypt` - Equivalent to the `-encrypt` command-line flag.
* `key_file` - This provides a the file path to a PEM encoded private key. * `key_file` - This provides a the file path to a PEM-encoded private key.
The key is used with the certificate to verify the agents authenticity. The key is used with the certificate to verify the agent's authenticity.
Must be provided along with the `cert_file`. This must be provided along with `cert_file`.
* `http_api_response_headers` - This object allows adding HTTP header response fields to * `http_api_response_headers` - This object allows adding headers to the HTTP API
the HTTP API responses. For example, the following config can be used to enable CORS on responses. For example, the following config can be used to enable
[CORS](http://en.wikipedia.org/wiki/Cross-origin_resource_sharing) on
the HTTP API endpoints: the HTTP API endpoints:
```javascript ```javascript
@ -359,7 +359,7 @@ definitions support being updated during a reload.
``` ```
* `leave_on_terminate` - If enabled, when the agent receives a TERM signal, * `leave_on_terminate` - If enabled, when the agent receives a TERM signal,
it will send a Leave message to the rest of the cluster and gracefully it will send a `Leave` message to the rest of the cluster and gracefully
leave. Defaults to false. leave. Defaults to false.
* `log_level` - Equivalent to the `-log-level` command-line flag. * `log_level` - Equivalent to the `-log-level` command-line flag.
@ -384,7 +384,7 @@ definitions support being updated during a reload.
* `recursors` - This flag provides addresses of upstream DNS servers that are used to * `recursors` - This flag provides addresses of upstream DNS servers that are used to
recursively resolve queries if they are not inside the service domain for consul. For example, recursively resolve queries if they are not inside the service domain for consul. For example,
a node can use Consul directly as a DNS server, and if the record is outside of the "consul." domain, a node can use Consul directly as a DNS server, and if the record is outside of the "consul." domain,
the query will be resolved upstream using their servers. the query will be resolved upstream.
* `rejoin_after_leave` - Equivalent to the `-rejoin` command-line flag. * `rejoin_after_leave` - Equivalent to the `-rejoin` command-line flag.
@ -396,75 +396,75 @@ definitions support being updated during a reload.
* `retry_join_wan` - Equivalent to the `-retry-join-wan` command-line flag. Takes a list * `retry_join_wan` - Equivalent to the `-retry-join-wan` command-line flag. Takes a list
of addresses to attempt joining to WAN every `retry_interval_wan` until at least one of addresses to attempt joining to WAN every `retry_interval_wan` until at least one
join -wan works. `-join-wan works.
* `retry_interval_wan` - Equivalent to the `-retry-interval-wan` command-line flag. * `retry_interval_wan` - Equivalent to the `-retry-interval-wan` command-line flag.
* `server` - Equivalent to the `-server` command-line flag. * `server` - Equivalent to the `-server` command-line flag.
* `server_name` - When give, this overrides the `node_name` for the TLS certificate. * `server_name` - When provided, this overrides the `node_name` for the TLS certificate.
It can be used to ensure that the certificate name matches the hostname we It can be used to ensure that the certificate name matches the hostname we
declare. declare.
* `skip_leave_on_interrupt` - This is the similar to`leave_on_terminate` but * `skip_leave_on_interrupt` - This is similar to `leave_on_terminate` but
only affects interrupt handling. By default, an interrupt causes Consul to only affects interrupt handling. By default, an interrupt (such as hitting
gracefully leave, but setting this to true disables that. Defaults to false. Control-C in a shell) causes Consul to gracefully leave. Setting this to true
Interrupts are usually from a Control-C from a shell. disables that. Defaults to false.
* `start_join` - An array of strings specifying addresses of nodes to * `start_join` - An array of strings specifying addresses of nodes to
join upon startup. join upon startup.
* `start_join_wan` - An array of strings specifying addresses of WAN nodes to * `start_join_wan` - An array of strings specifying addresses of WAN nodes to
join -wan upon startup. `-join-wan` upon startup.
* `statsd_addr` - This provides the address of a statsd instance. If provided * `statsd_addr` - This provides the address of a statsd instance. If provided,
Consul will send various telemetry information to that instance for aggregation. Consul will send various telemetry information to that instance for aggregation.
This can be used to capture various runtime information. This sends UDP packets This can be used to capture runtime information. This sends UDP packets
only, and can be used with statsd or statsite. only and can be used with statsd or statsite.
* `statsite_addr` - This provides the address of a statsite instance. If provided * `statsite_addr` - This provides the address of a statsite instance. If provided,
Consul will stream various telemetry information to that instance for aggregation. Consul will stream various telemetry information to that instance for aggregation.
This can be used to capture various runtime information. This streams via This can be used to capture runtime information. This streams via
TCP and can only be used with statsite. TCP and can only be used with statsite.
* `syslog_facility` - When `enable_syslog` is provided, this controls which * `syslog_facility` - When `enable_syslog` is provided, this controls to which
facility messages are sent to. By default, `LOCAL0` will be used. facility messages are sent. By default, `LOCAL0` will be used.
* `ui_dir` - Equivalent to the `-ui-dir` command-line flag. * `ui_dir` - Equivalent to the `-ui-dir` command-line flag.
* `unix_sockets` - This allows tuning the ownership and permissions of the * `unix_sockets` - This allows tuning the ownership and permissions of the
Unix domain socket files created by Consul. Domain sockets are only used if Unix domain socket files created by Consul. Domain sockets are only used if
the HTTP or RPC addresses are configured with the `unix://` prefix. The the HTTP or RPC addresses are configured with the `unix://` prefix. The
following options are valid within this construct, and apply globally to all following options are valid within this construct and apply globally to all
sockets created by Consul: sockets created by Consul:
<br> <br>
* `user` - The name or ID of the user who will own the socket file. * `user` - The name or ID of the user who will own the socket file.
* `group` - The group ID ownership of the socket file. Note that this option * `group` - The group ID ownership of the socket file. Note that this option
currently only supports numeric ID's. currently only supports numeric IDs.
* `mode` - The permission bits to set on the file. * `mode` - The permission bits to set on the file.
<br> <br>
It is important to note that this option may have different effects on It is important to note that this option may have different effects on
different operating systems. Linux generally observes socket file permissions, different operating systems. Linux generally observes socket file permissions
while many BSD variants ignore permissions on the socket file itself. It is while many BSD variants ignore permissions on the socket file itself. It is
important to test this feature on your specific distribution. This feature is important to test this feature on your specific distribution. This feature is
currently not functional on Windows hosts. currently not functional on Windows hosts.
* `verify_incoming` - If set to True, Consul requires that all incoming * `verify_incoming` - If set to true, Consul requires that all incoming
connections make use of TLS, and that the client provides a certificate signed connections make use of TLS and that the client provides a certificate signed
by the Certificate Authority from the `ca_file`. By default, this is false, and by the Certificate Authority from the `ca_file`. By default, this is false, and
Consul will not enforce the use of TLS or verify a client's authenticity. This Consul will not enforce the use of TLS or verify a client's authenticity. This
only applies to Consul servers, since a client never has an incoming connection. only applies to Consul servers since a client never has an incoming connection.
* `verify_outgoing` - If set to True, Consul requires that all outgoing connections * `verify_outgoing` - If set to true, Consul requires that all outgoing connections
make use of TLS, and that the server provide a certificate that is signed by make use of TLS and that the server provides a certificate that is signed by
the Certificate Authority from the `ca_file`. By default, this is false, and Consul the Certificate Authority from the `ca_file`. By default, this is false, and Consul
will not make use of TLS for outgoing connections. This applies to clients and servers, will not make use of TLS for outgoing connections. This applies to clients and servers
as both will make outgoing connections. as both will make outgoing connections.
* `watches` - Watches is a list of watch specifications. * `watches` - Watches is a list of watch specifications which allow an external process
These allow an external process to be automatically invoked when a particular to be automatically invoked when a particular data view is updated. See the
data view is updated. See the [watch documentation](/docs/agent/watches.html) for [watch documentation](/docs/agent/watches.html) for more detail. Watches can be
more documentation. Watches can be modified when the configuration is reloaded. modified when the configuration is reloaded.
## Ports Used ## Ports Used