Document managed proxy logs (#4447)

* Document proxy logs

* Add extra note about terminating proxies
This commit is contained in:
Paul Banks 2018-07-26 13:56:28 +01:00 committed by GitHub
parent 8dd50d5b2d
commit 8f9cc91d32
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 38 additions and 4 deletions

View File

@ -42,10 +42,9 @@ benchmarks, the service-to-service communication over the built-in proxy
could sustain 5 Gbps with sub-millisecond latency. Therefore, could sustain 5 Gbps with sub-millisecond latency. Therefore,
the performance impact of even the basic built-in proxy is minimal. the performance impact of even the basic built-in proxy is minimal.
Consul will be Consul will be integrating with advanced proxies in the near future to support
integrating with advanced proxies in the near future to support more complex more complex configurations and higher performance. The configuration below is
configurations and higher performance. The configuration below is all for all for the built-in proxy.
the built-in proxy.
-> **Security note:** 1.) Managed proxies can only be configured -> **Security note:** 1.) Managed proxies can only be configured
via agent configuration files. They _cannot_ be registered via the HTTP API. via agent configuration files. They _cannot_ be registered via the HTTP API.
@ -54,6 +53,25 @@ Both of these default configurations help prevent arbitrary process
execution or privilege escalation. This behavior can be configured execution or privilege escalation. This behavior can be configured
[per-agent](/docs/agent/options.html#connect_proxy). [per-agent](/docs/agent/options.html#connect_proxy).
### Lifecycle
The Consul agent starts managed proxies on demand and supervises them,
restarting them if they crash. The lifecycle of the proxy process is decoupled
from the agent so if the agent crashes or is restarted for an upgrade, the
managed proxy instances will _not_ be stopped.
Note that this behaviour while desirable in production might leave proxy
processes running indefinitely if you manually stop the agent and clear it's
data dir during testing.
To terminate a managed proxy cleanly you need to deregister the service that
requested it. If the agent is already stopped and will not be restarted again,
you may choose to locate the proxy processes and kill them manually.
While in `-dev` mode, unless a `-data-dir` is explicitly set, managed proxies
switch to being killed when the agent exits since it can't store state in order
to re-adopt them on restart.
### Minimal Configuration ### Minimal Configuration
Managed proxies are configured within a Managed proxies are configured within a
@ -212,6 +230,22 @@ connect {
With this configuration, all services registered without an explicit With this configuration, all services registered without an explicit
proxy command will use `my-proxy` instead of the default built-in proxy. proxy command will use `my-proxy` instead of the default built-in proxy.
### Managed Proxy Logs
Managed proxies have both stdout and stderr captured in log files in the agent's
`data_dir`. They can be found in
`<data_dir>/proxy/logs/<proxy_service_id>-std{err,out}.log`.
The built-in proxy will inherit it's log level from the agent so if the agent is
configured with `log_level = DEBUG`, a proxy it starts will also output `DEBUG`
level logs showing service discovery, certificate and authorization information.
~> **Note:** In `-dev` mode there is no `data_dir` unless one is explicitly
configured so logging is disabled. You can access logs by providing the
[`-data-dir`](/docs/agent/options.html#_data_dir) CLI option. If a data dir is
configured, this will also cause proxy processes to stay running when the agent
terminates as described in [Lifecycle](#lifecycle).
## Unmanaged Proxies ## Unmanaged Proxies
Unmanaged proxies are regular Consul services that are registered as a Unmanaged proxies are regular Consul services that are registered as a