Merge pull request #10336 from hashicorp/docs/licensing-updates

[Docs] Update documentation with information about v1.10 licensing changes.
This commit is contained in:
Matt Keeler 2021-06-03 10:50:55 -04:00 committed by hc-github-team-consul-core
parent 749a0b01c3
commit d50875f48f
7 changed files with 177 additions and 60 deletions

View File

@ -2,7 +2,7 @@
layout: api
page_title: License - Operator - HTTP API
description: |-
The /operator/license endpoints allow for setting and retrieving the Consul
The /operator/license endpoint allows for retrieving the Consul
Enterprise License.
---
@ -76,6 +76,9 @@ $ curl \
## Updating the Consul License
-> **Deprecated** This endpoint was removed in Consul v1.10.0 along with
the ability to manage the cluster's license via the API.
This endpoint updates the Consul license and returns some of the
license contents as well as any warning messages regarding its validity.
@ -144,6 +147,9 @@ $ curl \
## Resetting the Consul License
-> **Deprecated** This endpoint was removed in Consul v1.10.0 along with
the ability to manage the cluster's license via the API.
This endpoint resets the Consul license to the license included in the Enterprise binary. If the included license is not valid, the replace will fail.
| Method | Path | Produces |

View File

@ -2,7 +2,7 @@
layout: commands
page_title: 'Commands: License'
description: >
The license command provides datacenter-level management of the Consul
The license command provides a datacenter-level view of the Consul
Enterprise license.
---
@ -12,7 +12,10 @@ Command: `consul license`
<EnterpriseAlert />
The `license` command provides datacenter-level management of the Consul Enterprise license. This was added in Consul 1.1.0.
The `license` command provides datacenter-level view of the Consul Enterprise license. This was added
in Consul 1.1.0 but Consul 1.10.0 removed the ability to set and reset the license using the CLI.
See the [licensing documentation](/docs/enterprise#licensing) for more information about
Consul Enterprise license management.
If ACLs are enabled then a token with operator privileges may be required in
order to use this command. Requests are forwarded internally to the leader
@ -56,6 +59,10 @@ Subcommands:
## put
-> **Deprecated** The ability to manage the cluster's license via the CLI
was removed in Consul 1.10. While the CLI command still exists it will
always return an error. This command will be fully removed in a future release.
This command sets the Consul Enterprise license.
Usage: `consul license put [options] LICENSE`
@ -116,6 +123,10 @@ Licensed Features:
## reset
-> **Deprecated** The ability to manage the cluster's license via the CLI
was removed in Consul 1.10. While the CLI command still exists it will
always return an error. This command will be fully removed in a future release.
Resets license for the datacenter to the one builtin in Consul binary, if it is still valid.
If the builtin license is invalid, the current one stays active.

View File

@ -150,6 +150,7 @@ Usage: `consul snapshot agent [options]`
"ca_path": "",
"cert_file": "",
"key_file": "",
"license_path": "",
"tls_server_name": "",
"log": {
"level": "INFO",
@ -378,3 +379,20 @@ $ consul snapshot agent -interval=0
Please see the [HTTP API](/api/snapshot) documentation for
more details about snapshot internals.
## Licensing
The snapshot agent requires a license when it starts before it will perform any other
actions. This can be provided using the `license_path` configuration item, the
`CONSUL_LICENSE_PATH` environment variable or the `CONSUL_LICENSE` environment variable.
The `license_path` configuration and `CONSUL_LICENSE_PATH` variable should point to
files that contain the license whereas the `CONSUL_LICENSE` variable value should be
the contents of the license itself. If a license is present in multiple ways the
then the order of precedence is as follows:
1. `CONSUL_LICENSE` variable
2. `CONSUL_LICENSE_PATH` variable
3. `license_path` configuration.
See the [licensing documentation](/docs/enterprise#licensing) for more information about
Consul Enterprise license management.

View File

@ -1636,6 +1636,8 @@ bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr
- `leave_on_terminate` If enabled, when the agent receives a TERM signal, it will send a `Leave` message to the rest of the cluster and gracefully leave. The default behavior for this feature varies based on whether or not the agent is running as a client or a server (prior to Consul 0.7 the default value was unconditionally set to `false`). On agents in client-mode, this defaults to `true` and for agents in server-mode, this defaults to `false`.
- `license_path` <EnterpriseAlert inline /> This specifies the path to a file that contains the Consul Enterprise license. See the [licensing documentation](/docs/enterprise#licensing) for more information about Consul Enterprise license management.
- `limits` Available in Consul 0.9.3 and later, this is a nested
object that configures limits that are enforced by the agent. Prior to Consul 1.5.2,
this only applied to agents in client mode, not Consul servers. The following parameters

View File

@ -249,6 +249,23 @@ Note that if servers don't restart often, then the snapshot could have grown
significantly since the last restore happened so last restore times might not
reflect what would happen if an agent restarts now.
### License Expiration <EnterpriseAlert inline />
| Metric Name | Description | Unit | Type |
| :-------------------------------- | :--------------------------------------------------------------- | :---- | :---- |
| `consul.system.licenseExpiration` | Number of hours until the Consul Enterprise license will expire. | hours | gauge |
**Why they're important:**
This measurement indicates how many hours are left before the Consul Enterprise license expires. When the license expires some
Consul Enterprise features will cease to work. An example of this is that after expiration, it is no longer possible to create
or modify resources in non-default namespaces or to manage namespace definitions themselves even though reads of namespaced
resources will still work.
**What to look for:**
This metric should be monitored to ensure that the license doesn't expire to prevent degradation of functionality.
## Metrics Reference
@ -280,10 +297,10 @@ This is a full list of metrics emitted by Consul.
| `consul.client.api.catalog_service_nodes.` | Increments whenever a Consul agent receives a request to list nodes offering a service. | requests | counter |
| `consul.client.api.success.catalog_service_nodes.` | Increments whenever a Consul agent successfully responds to a request to list nodes offering a service. | requests | counter |
| `consul.client.api.error.catalog_service_nodes.` | Increments whenever a Consul agent receives an RPC error for request to list nodes offering a service. | requests | counter |
| `consul.client.rpc.error.catalog_service_nodes.` | Increments whenever a Consul agent receives an RPC error for a request to list nodes offering a service. | errors | counter |
| `consul.client.api.catalog_node_services.` | Increments whenever a Consul agent receives a request to list services registered in a node. | requests | counter |
| `consul.client.api.success.catalog_node_services.` | Increments whenever a Consul agent successfully responds to a request to list services in a node. | requests | counter |
| `consul.client.rpc.error.catalog_node_services.` | Increments whenever a Consul agent receives an RPC error for a request to list services in a node. | errors | counter |
| `consul.client.rpc.error.catalog_service_nodes.` | Increments whenever a Consul agent receives an RPC error for a request to list nodes offering a service.   | errors | counter |
| `consul.client.api.catalog_node_services.` | Increments whenever a Consul agent receives a request to list services registered in a node.   | requests | counter |
| `consul.client.api.success.catalog_node_services.` | Increments whenever a Consul agent successfully responds to a request to list services in a node.   | requests | counter |
| `consul.client.rpc.error.catalog_node_services.` | Increments whenever a Consul agent receives an RPC error for a request to list services in a node.   | errors | counter |
| `consul.client.api.catalog_node_service_list` | Increments whenever a Consul agent receives a request to list a node's registered services. | requests | counter |
| `consul.client.rpc.error.catalog_node_service_list` | Increments whenever a Consul agent receives an RPC error for request to list a node's registered services. | errors | counter |
| `consul.client.api.success.catalog_node_service_list` | Increments whenever a Consul agent successfully responds to a request to list a node's registered services. | requests | counter |
@ -300,6 +317,7 @@ This is a full list of metrics emitted by Consul.
| `consul.dns.ptr_query.` | Measures the time spent handling a reverse DNS query for the given node. | ms | timer |
| `consul.dns.domain_query.` | Measures the time spent handling a domain query for the given node. | ms | timer |
| `consul.http...` | DEPRECATED IN 1.9: Tracks how long it takes to service the given HTTP request for the given verb and path. Paths do not include details like service or key names, for these an underscore will be present as a placeholder (eg. `consul.http.GET.v1.kv._`) | ms | timer |
| `consul.system.licenseExpiration` | <EnterpriseAlert inline /> This measures the number of hours remaining on the agents license. | hours | gauge |
| `consul.version` | Measures the count of running agents. | agents | guage |
## Server Health

View File

@ -28,13 +28,18 @@ Enterprise](https://www.hashicorp.com/consul).
## Licensing
Licensing capabilities were added to Consul Enterprise v1.1.0. The license is set
once for a datacenter and will automatically propagate to all nodes within the
datacenter over a period of time scaled between 1 and 20 minutes depending on the
number of nodes in the datacenter. There are two methods for licensing Consul
enterprise.
All Consul Enterprise agents must be licensed when they are started. Where that license comes from will depend
on which binary is in use, whether the agent is a server, client or snapshot agent and whether ACLs have been
enabled for the cluster.
### Included in the Enterprise Package
-> ** Consul Enterprise v1.10.0 removed temporary licensing.** In previous versions Consul Enterprise
agents could start without a license and then have a license applied to them later on via the CLI
or API. That functionality has been removed and replaced with the ability to load licenses from the
agent's configuration or environment. Also prior to v1.10.0 server agents would automatically propagate
the license between themselves. This no longer occurs and the license must be present on each server
when they are started.
### Binaries with Built In Licenses
If you are downloading Consul from Amazon S3, then the license is included
in the binary and you do not need to take further action. This is the
@ -44,16 +49,41 @@ In the S3 bucket you will find three Enterprise zip packages. The packages with
`+prem` in the name, are the binaries that include the license. The package
with `+ent` in the name does not include the license.
### Applied after Bootstrapping
When using these binaries no further action is necessary to configure the license.
If you are downloading the enterprise binary from the [releases.hashicorp.com](https://releases.hashicorp.com/consul/) or the `+ent` package from Amazon S3, you will need to apply
the license to the cluster, after completing the bootstrapping process.
You can set the license on any agent within the cluster and it will be
forwarded to the leading server via the RPC forwarding functionality.
Below are your two options for setting the license file.
### Binaries Without Built In Licenses
You can set the license via the
[API](/api/operator/license) or the [CLI](/commands/license). When
you first start Consul, a 30-minute temporary license is available to allow you
time to license the datacenter. You should set the license within ten minutes of
starting the first Consul process to allow time for the license to propagate.
For binaries that do not include built in licenses a license must be available at the time the agent starts.
For server agents this means that they must either have the [`license_path`](/docs/agent/opts#license_path)
configuration set or have a license configured in the servers environment with the `CONSUL_LICENSE` or
`CONSUL_LICENSE_PATH` environment variables. Both the configuration item and the `CONSUL_LICENSE_PATH`
environment variable point to a file containing the license whereas the `CONSUL_LICENSE` environment
variable should contain the license as the value. If multiple of these are set the order of precedence is:
1. `CONSUL_LICENSE` environment variable
2. `CONSUL_LICENSE_PATH` environment variable
3. `license_path` configuration item.
Both client agents and the snapshot agent may also be licensed in the very same manner. However to prevent
the need to configure the license on many client agents and snapshot agents those agents have the capability
to retrieve the license automatically under specific circumstances.
#### Client Agent License Retrieval
When a client agent starts without a license in its configuration or environment, it will try to retrieve the
license from the servers via RPCs. That RPC always requires a valid non-anonymous ACL token to authorize the
request but the token doesn't need any particular permissions. As the license is required before the client
actually joins the cluster, where to make those RPC requests to is inferred from the [`start_join`](/docs/agent/opts#start_join)
or [`retry_join`](/docs/agent/opts#retry_join) configurations. If those are both unset or no
[`agent` token](/docs/agent/opts#acl_tokens_agent) is set then the client agent will immediately shut itself down.
If all preliminary checks pass the client agent will attempt to reach out to any server on its RPC port to
request the license. These requests will be retried for up to 5 minutes and if it is unable to retrieve a
license within that time frame it will shut itself down.
#### Snapshot Agent License Retrieval
The snapshot agent has similar functionality to the client agent for automatically retrieving the license. However,
instead of requiring a server agent to talk to, the snapshot agent can request the license from the server or
client agent it would use for all other operations. It still requires an ACL token to authorize the request. Also
like client agents, the snapshot agent will shut itself down after being unable to retrieve the license for 5
minutes.

View File

@ -14,6 +14,38 @@ provided for their upgrades as a result of new features or changed behavior.
This page is used to document those details separately from the standard
upgrade flow.
## Consul 1.10.0 <EnterpriseAlert inline />
Consul Enterprise 1.10 has removed temporary licensing capabilities from the binaries
found on https://releases.hashicorp.com. Servers will no longer load a license previously
set through the CLI or API. Instead the license must be present in the server's configuration
or environment prior to starting. See the [licensing documentation](/docs/enterprise#licensing)
for more information about how to configure the license. Client agents previously retrieved their
license from the servers in the cluster within 30 minutes of starting and the snapshot agent
would similarly retrieve its license from the server or client agent it was configured to use. As
of Consul Enterprise 1.10 both the snapshot agent and client agent have gained the ability to
have a license loaded from a configuration file or from their environment the same way server
agents must have the license specified. Both agents can still perform automatic retrieval of their
license but with a few extra stipulations. First, license auto-retrieval now requires that ACLs
are on and that the client or snapshot agent is configured with a valid ACL token. Secondly, client
agents require that either the [`start_join`](/docs/agent/opts#start_join) or
[`retry_join`](/docs/agent/opts#retry_join) configurations are set and that they resolve to server
agents. If those stipulations are not met, attempting to start the client or snapshot agent will
result in it immediately shutting down.
### Migration <EnterpriseAlert inline />
Prior to upgrading Consul Enterprise to v1.10 you should ensure the license is set in all the right places.
In general following these steps should be all thats necessary to ensure a smooth upgrade.
1. Retrieve the existing license from your existing cluster by running `consul license get -signed`
2. Ensure that the license is configured on all your servers by setting the one of the `license_path`
configuration item, the `CONSUL_LICENSE_PATH` environment variable or the `CONSUL_LICENSE`
environment variable.
3. If ACLs are not in use or if not all client agents are configured with the necessary `start_join` /
`retry_join` configurations pointing to servers, then repeat step 2 for all client agents.
4. If ACLs are not in use then repeat step 2 for all snapshot agents.
5. Now proceed with the [standard upgrade procedure](/docs/upgrading#standard-upgrades).
## Consul 1.9.0
### Changes to Raft Protocol Support