Merge pull request #12005 from hashicorp/docs/agent-config

[Docs] Agent configuration hierarchy - This PR reorganizes the Consul agent configuration documentation. CLI configuration options and configuration file options are now on separate pages. Additionally, options have been grouped into related categories. The goal is to make the content more consumable and navigable from the TOC menu.
This commit is contained in:
trujillo-adam 2022-03-15 15:34:07 -07:00 committed by GitHub
commit e12a0d0835
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
92 changed files with 2365 additions and 1770 deletions

View File

@ -1,4 +1,4 @@
# Fullconfiguration options can be found at https://www.consul.io/docs/agent/options.html # Fullconfiguration options can be found at https://www.consul.io/docs/agent/config.html
# datacenter # datacenter
# This flag controls the datacenter in which the agent is running. If not provided, # This flag controls the datacenter in which the agent is running. If not provided,

View File

@ -473,7 +473,7 @@ token. [[GH-10795](https://github.com/hashicorp/consul/issues/10795)]
KNOWN ISSUES: KNOWN ISSUES:
* The change to enable streaming by default uncovered an incompatibility between streaming and WAN federation over mesh gateways causing traffic to fall back to attempting a direct WAN connection rather than transiting through the gateways. We currently suggest explicitly setting [`use_streaming_backend=false`](https://www.consul.io/docs/agent/options#use_streaming_backend) if using WAN federation over mesh gateways when upgrading to 1.10.1 and are working to address this issue in a future patch release. * The change to enable streaming by default uncovered an incompatibility between streaming and WAN federation over mesh gateways causing traffic to fall back to attempting a direct WAN connection rather than transiting through the gateways. We currently suggest explicitly setting [`use_streaming_backend=false`](https://www.consul.io/docs/agent/config/config-files#use_streaming_backend) if using WAN federation over mesh gateways when upgrading to 1.10.1 and are working to address this issue in a future patch release.
SECURITY: SECURITY:
@ -1891,7 +1891,7 @@ FEATURES:
* **Connect Envoy Supports L7 Routing:** Additional configuration entry types `service-router`, `service-resolver`, and `service-splitter`, allow for configuring Envoy sidecars to enable reliability and deployment patterns at L7 such as HTTP path-based routing, traffic shifting, and advanced failover capabilities. For more information see the [L7 traffic management](https://www.consul.io/docs/connect/l7-traffic-management.html) docs. * **Connect Envoy Supports L7 Routing:** Additional configuration entry types `service-router`, `service-resolver`, and `service-splitter`, allow for configuring Envoy sidecars to enable reliability and deployment patterns at L7 such as HTTP path-based routing, traffic shifting, and advanced failover capabilities. For more information see the [L7 traffic management](https://www.consul.io/docs/connect/l7-traffic-management.html) docs.
* **Mesh Gateways:** Envoy can now be run as a gateway to route Connect traffic across datacenters using SNI headers, allowing connectivty across platforms and clouds and other complex network topologies. Read more in the [mesh gateway docs](https://www.consul.io/docs/connect/mesh_gateway.html). * **Mesh Gateways:** Envoy can now be run as a gateway to route Connect traffic across datacenters using SNI headers, allowing connectivty across platforms and clouds and other complex network topologies. Read more in the [mesh gateway docs](https://www.consul.io/docs/connect/mesh_gateway.html).
* **Intention & CA Replication:** In order to enable connecitivty for services across datacenters, Connect intentions are now replicated and the Connect CA cross-signs from the [primary_datacenter](/docs/agent/options.html#primary_datacenter). This feature was previously part of Consul Enterprise. * **Intention & CA Replication:** In order to enable connecitivty for services across datacenters, Connect intentions are now replicated and the Connect CA cross-signs from the [primary_datacenter](/docs/agent/config/config-files.html#primary_datacenter). This feature was previously part of Consul Enterprise.
* agent: add `local-only` parameter to operator/keyring list requests to force queries to only hit local servers. [[GH-6279](https://github.com/hashicorp/consul/pull/6279)] * agent: add `local-only` parameter to operator/keyring list requests to force queries to only hit local servers. [[GH-6279](https://github.com/hashicorp/consul/pull/6279)]
* connect: expose an API endpoint to compile the discovery chain [[GH-6248](https://github.com/hashicorp/consul/issues/6248)] * connect: expose an API endpoint to compile the discovery chain [[GH-6248](https://github.com/hashicorp/consul/issues/6248)]
* connect: generate the full SNI names for discovery targets in the compiler rather than in the xds package [[GH-6340](https://github.com/hashicorp/consul/issues/6340)] * connect: generate the full SNI names for discovery targets in the compiler rather than in the xds package [[GH-6340](https://github.com/hashicorp/consul/issues/6340)]
@ -2327,7 +2327,7 @@ FEATURES:
IMPROVEMENTS: IMPROVEMENTS:
* proxy: With `-register` flag, heartbeat failures will only log once service registration succeeds. [[GH-4314](https://github.com/hashicorp/consul/pull/4314)] * proxy: With `-register` flag, heartbeat failures will only log once service registration succeeds. [[GH-4314](https://github.com/hashicorp/consul/pull/4314)]
* http: 1.0.3 introduced rejection of non-printable chars in HTTP URLs due to a security vulnerability. Some users who had keys written with an older version which are now dissallowed were unable to delete them. A new config option [disable_http_unprintable_char_filter](https://www.consul.io/docs/agent/options.html#disable_http_unprintable_char_filter) is added to allow those users to remove the offending keys. Leaving this new option set long term is strongly discouraged as it bypasses filtering necessary to prevent some known vulnerabilities. [[GH-4442](https://github.com/hashicorp/consul/pull/4442)] * http: 1.0.3 introduced rejection of non-printable chars in HTTP URLs due to a security vulnerability. Some users who had keys written with an older version which are now dissallowed were unable to delete them. A new config option [disable_http_unprintable_char_filter](https://www.consul.io/docs/agent/config/config-files.html#disable_http_unprintable_char_filter) is added to allow those users to remove the offending keys. Leaving this new option set long term is strongly discouraged as it bypasses filtering necessary to prevent some known vulnerabilities. [[GH-4442](https://github.com/hashicorp/consul/pull/4442)]
* agent: Allow for advanced configuration of some gossip related parameters. [[GH-4058](https://github.com/hashicorp/consul/issues/4058)] * agent: Allow for advanced configuration of some gossip related parameters. [[GH-4058](https://github.com/hashicorp/consul/issues/4058)]
* agent: Make some Gossip tuneables configurable via the config file [[GH-4444](https://github.com/hashicorp/consul/pull/4444)] * agent: Make some Gossip tuneables configurable via the config file [[GH-4444](https://github.com/hashicorp/consul/pull/4444)]
* ui: Included searching on `.Tags` when using the freetext search field. [[GH-4383](https://github.com/hashicorp/consul/pull/4383)] * ui: Included searching on `.Tags` when using the freetext search field. [[GH-4383](https://github.com/hashicorp/consul/pull/4383)]
@ -2559,13 +2559,13 @@ IMPROVEMENTS:
* agent: (Consul Enterprise) Added [AWS KMS support](http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html) for S3 snapshots using the snapshot agent. * agent: (Consul Enterprise) Added [AWS KMS support](http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html) for S3 snapshots using the snapshot agent.
* agent: Watches in the Consul agent can now be configured to invoke an HTTP endpoint instead of an executable. [[GH-3305](https://github.com/hashicorp/consul/issues/3305)] * agent: Watches in the Consul agent can now be configured to invoke an HTTP endpoint instead of an executable. [[GH-3305](https://github.com/hashicorp/consul/issues/3305)]
* agent: Added a new [`-config-format`](https://www.consul.io/docs/agent/options.html#_config_format) command line option which can be set to `hcl` or `json` to specify the format of configuration files. This is useful for cases where the file name cannot be controlled in order to provide the required extension. [[GH-3620](https://github.com/hashicorp/consul/issues/3620)] * agent: Added a new [`-config-format`](https://www.consul.io/docs/agent/config/cli-flags.html#_config_format) command line option which can be set to `hcl` or `json` to specify the format of configuration files. This is useful for cases where the file name cannot be controlled in order to provide the required extension. [[GH-3620](https://github.com/hashicorp/consul/issues/3620)]
* agent: DNS recursors can now be specified as [go-sockaddr](https://godoc.org/github.com/hashicorp/go-sockaddr/template) templates. [[GH-2932](https://github.com/hashicorp/consul/issues/2932)] * agent: DNS recursors can now be specified as [go-sockaddr](https://godoc.org/github.com/hashicorp/go-sockaddr/template) templates. [[GH-2932](https://github.com/hashicorp/consul/issues/2932)]
* agent: Serf snapshots no longer save network coordinate information. This enables recovery from errors upon agent restart. [[GH-489](https://github.com/hashicorp/serf/issues/489)] * agent: Serf snapshots no longer save network coordinate information. This enables recovery from errors upon agent restart. [[GH-489](https://github.com/hashicorp/serf/issues/489)]
* agent: Added defensive code to prevent out of range ping times from infecting network coordinates. Updates to the coordinate system with negative round trip times or round trip times higher than 10 seconds will log an error but will be ignored. * agent: Added defensive code to prevent out of range ping times from infecting network coordinates. Updates to the coordinate system with negative round trip times or round trip times higher than 10 seconds will log an error but will be ignored.
* agent: The agent now warns when there are extra unparsed command line arguments and refuses to start. [[GH-3397](https://github.com/hashicorp/consul/issues/3397)] * agent: The agent now warns when there are extra unparsed command line arguments and refuses to start. [[GH-3397](https://github.com/hashicorp/consul/issues/3397)]
* agent: Updated go-sockaddr library to get CoreOS route detection fixes and the new `mask` functionality. [[GH-3633](https://github.com/hashicorp/consul/issues/3633)] * agent: Updated go-sockaddr library to get CoreOS route detection fixes and the new `mask` functionality. [[GH-3633](https://github.com/hashicorp/consul/issues/3633)]
* agent: Added a new [`enable_agent_tls_for_checks`](https://www.consul.io/docs/agent/options.html#enable_agent_tls_for_checks) configuration option that allows HTTP health checks for services requiring 2-way TLS to be checked using the agent's credentials. [[GH-3364](https://github.com/hashicorp/consul/issues/3364)] * agent: Added a new [`enable_agent_tls_for_checks`](https://www.consul.io/docs/agent/config/config-files.html#enable_agent_tls_for_checks) configuration option that allows HTTP health checks for services requiring 2-way TLS to be checked using the agent's credentials. [[GH-3364](https://github.com/hashicorp/consul/issues/3364)]
* agent: Made logging of health check status more uniform and moved log entries with full check output from DEBUG to TRACE level for less noise. [[GH-3683](https://github.com/hashicorp/consul/issues/3683)] * agent: Made logging of health check status more uniform and moved log entries with full check output from DEBUG to TRACE level for less noise. [[GH-3683](https://github.com/hashicorp/consul/issues/3683)]
* build: Consul is now built with Go 1.9.2. [[GH-3663](https://github.com/hashicorp/consul/issues/3663)] * build: Consul is now built with Go 1.9.2. [[GH-3663](https://github.com/hashicorp/consul/issues/3663)]
@ -2590,8 +2590,8 @@ SECURITY:
BREAKING CHANGES: BREAKING CHANGES:
* **Raft Protocol Now Defaults to 3:** The [`-raft-protocol`](https://www.consul.io/docs/agent/options.html#_raft_protocol) default has been changed from 2 to 3, enabling all [Autopilot](https://www.consul.io/docs/guides/autopilot.html) features by default. Version 3 requires Consul running 0.8.0 or newer on all servers in order to work, so if you are upgrading with older servers in a cluster then you will need to set this back to 2 in order to upgrade. See [Raft Protocol Version Compatibility](https://www.consul.io/docs/upgrade-specific.html#raft-protocol-version-compatibility) for more details. Also the format of `peers.json` used for outage recovery is different when running with the lastest Raft protocol. See [Manual Recovery Using peers.json](https://www.consul.io/docs/guides/outage.html#manual-recovery-using-peers-json) for a description of the required format. [[GH-3477](https://github.com/hashicorp/consul/issues/3477)] * **Raft Protocol Now Defaults to 3:** The [`-raft-protocol`](https://www.consul.io/docs/agent/config/cli-flags.html#_raft_protocol) default has been changed from 2 to 3, enabling all [Autopilot](https://www.consul.io/docs/guides/autopilot.html) features by default. Version 3 requires Consul running 0.8.0 or newer on all servers in order to work, so if you are upgrading with older servers in a cluster then you will need to set this back to 2 in order to upgrade. See [Raft Protocol Version Compatibility](https://www.consul.io/docs/upgrade-specific.html#raft-protocol-version-compatibility) for more details. Also the format of `peers.json` used for outage recovery is different when running with the lastest Raft protocol. See [Manual Recovery Using peers.json](https://www.consul.io/docs/guides/outage.html#manual-recovery-using-peers-json) for a description of the required format. [[GH-3477](https://github.com/hashicorp/consul/issues/3477)]
* **Config Files Require an Extension:** As part of supporting the [HCL](https://github.com/hashicorp/hcl#syntax) format for Consul's config files, an `.hcl` or `.json` extension is required for all config files loaded by Consul, even when using the [`-config-file`](https://www.consul.io/docs/agent/options.html#_config_file) argument to specify a file directly. [[GH-3480](https://github.com/hashicorp/consul/issues/3480)] * **Config Files Require an Extension:** As part of supporting the [HCL](https://github.com/hashicorp/hcl#syntax) format for Consul's config files, an `.hcl` or `.json` extension is required for all config files loaded by Consul, even when using the [`-config-file`](https://www.consul.io/docs/agent/config/cli-flags.html#_config_file) argument to specify a file directly. [[GH-3480](https://github.com/hashicorp/consul/issues/3480)]
* **Deprecated Options Have Been Removed:** All of Consul's previously deprecated command line flags and config options have been removed, so these will need to be mapped to their equivalents before upgrading. [[GH-3480](https://github.com/hashicorp/consul/issues/3480)] * **Deprecated Options Have Been Removed:** All of Consul's previously deprecated command line flags and config options have been removed, so these will need to be mapped to their equivalents before upgrading. [[GH-3480](https://github.com/hashicorp/consul/issues/3480)]
<details><summary>Detailed List of Removed Options and their Equivalents</summary> <details><summary>Detailed List of Removed Options and their Equivalents</summary>
@ -2602,35 +2602,35 @@ BREAKING CHANGES:
| `-atlas-token`| None, Atlas is no longer supported. | | `-atlas-token`| None, Atlas is no longer supported. |
| `-atlas-join` | None, Atlas is no longer supported. | | `-atlas-join` | None, Atlas is no longer supported. |
| `-atlas-endpoint` | None, Atlas is no longer supported. | | `-atlas-endpoint` | None, Atlas is no longer supported. |
| `-dc` | [`-datacenter`](https://www.consul.io/docs/agent/options.html#_datacenter) | | `-dc` | [`-datacenter`](https://www.consul.io/docs/agent/config/cli-flags.html#_datacenter) |
| `-retry-join-azure-tag-name` | [`-retry-join`](https://www.consul.io/docs/agent/options.html#microsoft-azure) | | `-retry-join-azure-tag-name` | [`-retry-join`](https://www.consul.io/docs/agent/config/cli-flags.html#_retry_join) |
| `-retry-join-azure-tag-value` | [`-retry-join`](https://www.consul.io/docs/agent/options.html#microsoft-azure) | | `-retry-join-azure-tag-value` | [`-retry-join`](https://www.consul.io/docs/agent/config/cli-flags.html#_retry_join) |
| `-retry-join-ec2-region` | [`-retry-join`](https://www.consul.io/docs/agent/options.html#amazon-ec2) | | `-retry-join-ec2-region` | [`-retry-join`](https://www.consul.io/docs/agent/config/cli-flags.html#_retry_join) |
| `-retry-join-ec2-tag-key` | [`-retry-join`](https://www.consul.io/docs/agent/options.html#amazon-ec2) | | `-retry-join-ec2-tag-key` | [`-retry-join`](https://www.consul.io/docs/agent/config/cli-flags.html#_retry_join) |
| `-retry-join-ec2-tag-value` | [`-retry-join`](https://www.consul.io/docs/agent/options.html#amazon-ec2) | | `-retry-join-ec2-tag-value` | [`-retry-join`](https://www.consul.io/docs/agent/config/cli-flags.html#_retry_join) |
| `-retry-join-gce-credentials-file` | [`-retry-join`](https://www.consul.io/docs/agent/options.html#google-compute-engine) | | `-retry-join-gce-credentials-file` | [`-retry-join`](https://www.consul.io/docs/agent/config/cli-flags.html#_retry_join) |
| `-retry-join-gce-project-name` | [`-retry-join`](https://www.consul.io/docs/agent/options.html#google-compute-engine) | | `-retry-join-gce-project-name` | [`-retry-join`](https://www.consul.io/docs/agent/config/cli-flags.html#_retry_join) |
| `-retry-join-gce-tag-name` | [`-retry-join`](https://www.consul.io/docs/agent/options.html#google-compute-engine) | | `-retry-join-gce-tag-name` | [`-retry-join`](https://www.consul.io/docs/agent/config/cli-flags.html#_retry_join) |
| `-retry-join-gce-zone-pattern` | [`-retry-join`](https://www.consul.io/docs/agent/options.html#google-compute-engine) | | `-retry-join-gce-zone-pattern` | [`-retry-join`](https://www.consul.io/docs/agent/config/cli-flags.html#_retry_join) |
| `addresses.rpc` | None, the RPC server for CLI commands is no longer supported. | | `addresses.rpc` | None, the RPC server for CLI commands is no longer supported. |
| `advertise_addrs` | [`ports`](https://www.consul.io/docs/agent/options.html#ports) with [`advertise_addr`](https://www.consul/io/docs/agent/options.html#advertise_addr) and/or [`advertise_addr_wan`](https://www.consul.io/docs/agent/options.html#advertise_addr_wan) | | `advertise_addrs` | [`ports`](https://www.consul.io/docs/agent/config/config-files.html#ports) with [`advertise_addr`](https://www.consul/io/docs/agent/config/config-files.html#advertise_addr) and/or [`advertise_addr_wan`](https://www.consul.io/docs/agent/config/config-files.html#advertise_addr_wan) |
| `atlas_infrastructure` | None, Atlas is no longer supported. | | `atlas_infrastructure` | None, Atlas is no longer supported. |
| `atlas_token` | None, Atlas is no longer supported. | | `atlas_token` | None, Atlas is no longer supported. |
| `atlas_acl_token` | None, Atlas is no longer supported. | | `atlas_acl_token` | None, Atlas is no longer supported. |
| `atlas_join` | None, Atlas is no longer supported. | | `atlas_join` | None, Atlas is no longer supported. |
| `atlas_endpoint` | None, Atlas is no longer supported. | | `atlas_endpoint` | None, Atlas is no longer supported. |
| `dogstatsd_addr` | [`telemetry.dogstatsd_addr`](https://www.consul.io/docs/agent/options.html#telemetry-dogstatsd_addr) | | `dogstatsd_addr` | [`telemetry.dogstatsd_addr`](https://www.consul.io/docs/agent/config/config-files.html#telemetry-dogstatsd_addr) |
| `dogstatsd_tags` | [`telemetry.dogstatsd_tags`](https://www.consul.io/docs/agent/options.html#telemetry-dogstatsd_tags) | | `dogstatsd_tags` | [`telemetry.dogstatsd_tags`](https://www.consul.io/docs/agent/config/config-files.html#telemetry-dogstatsd_tags) |
| `http_api_response_headers` | [`http_config.response_headers`](https://www.consul.io/docs/agent/options.html#response_headers) | | `http_api_response_headers` | [`http_config.response_headers`](https://www.consul.io/docs/agent/config/config-files.html#response_headers) |
| `ports.rpc` | None, the RPC server for CLI commands is no longer supported. | | `ports.rpc` | None, the RPC server for CLI commands is no longer supported. |
| `recursor` | [`recursors`](https://github.com/hashicorp/consul/blob/main/website/source/docs/agent/options.html.md#recursors) | | `recursor` | [`recursors`](https://github.com/hashicorp/consul/blob/main/website/source/docs/agent/config/config-files.html.md#recursors) |
| `retry_join_azure` | [`-retry-join`](https://www.consul.io/docs/agent/options.html#microsoft-azure) | | `retry_join_azure` | [`-retry-join`](https://www.consul.io/docs/agent/config/cli-flags.html#_retry_join) |
| `retry_join_ec2` | [`-retry-join`](https://www.consul.io/docs/agent/options.html#amazon-ec2) | | `retry_join_ec2` | [`-retry-join`](https://www.consul.io/docs/agent/config/cli-flags.html#_retry_join) |
| `retry_join_gce` | [`-retry-join`](https://www.consul.io/docs/agent/options.html#google-compute-engine) | | `retry_join_gce` | [`-retry-join`](https://www.consul.io/docs/agent/config/cli-flags.html#_retry_join) |
| `statsd_addr` | [`telemetry.statsd_address`](https://github.com/hashicorp/consul/blob/main/website/source/docs/agent/options.html.md#telemetry-statsd_address) | | `statsd_addr` | [`telemetry.statsd_address`](https://github.com/hashicorp/consul/blob/main/website/source/docs/agent/config/config-files.html.md#telemetry-statsd_address) |
| `statsite_addr` | [`telemetry.statsite_address`](https://github.com/hashicorp/consul/blob/main/website/source/docs/agent/options.html.md#telemetry-statsite_address) | | `statsite_addr` | [`telemetry.statsite_address`](https://github.com/hashicorp/consul/blob/main/website/source/docs/agent/config/config-files.html.md#telemetry-statsite_address) |
| `statsite_prefix` | [`telemetry.metrics_prefix`](https://www.consul.io/docs/agent/options.html#telemetry-metrics_prefix) | | `statsite_prefix` | [`telemetry.metrics_prefix`](https://www.consul.io/docs/agent/config/config-files.html#telemetry-metrics_prefix) |
| `telemetry.statsite_prefix` | [`telemetry.metrics_prefix`](https://www.consul.io/docs/agent/options.html#telemetry-metrics_prefix) | | `telemetry.statsite_prefix` | [`telemetry.metrics_prefix`](https://www.consul.io/docs/agent/config/config-files.html#telemetry-metrics_prefix) |
| (service definitions) `serviceid` | [`service_id`](https://www.consul.io/docs/agent/services.html) | | (service definitions) `serviceid` | [`service_id`](https://www.consul.io/docs/agent/services.html) |
| (service definitions) `dockercontainerid` | [`docker_container_id`](https://www.consul.io/docs/agent/services.html) | | (service definitions) `dockercontainerid` | [`docker_container_id`](https://www.consul.io/docs/agent/services.html) |
| (service definitions) `tlsskipverify` | [`tls_skip_verify`](https://www.consul.io/docs/agent/services.html) | | (service definitions) `tlsskipverify` | [`tls_skip_verify`](https://www.consul.io/docs/agent/services.html) |
@ -2638,9 +2638,9 @@ BREAKING CHANGES:
</details> </details>
* **`statsite_prefix` Renamed to `metrics_prefix`:** Since the `statsite_prefix` configuration option applied to all telemetry providers, `statsite_prefix` was renamed to [`metrics_prefix`](https://www.consul.io/docs/agent/options.html#telemetry-metrics_prefix). Configuration files will need to be updated when upgrading to this version of Consul. [[GH-3498](https://github.com/hashicorp/consul/issues/3498)] * **`statsite_prefix` Renamed to `metrics_prefix`:** Since the `statsite_prefix` configuration option applied to all telemetry providers, `statsite_prefix` was renamed to [`metrics_prefix`](https://www.consul.io/docs/agent/config/config-files.html#telemetry-metrics_prefix). Configuration files will need to be updated when upgrading to this version of Consul. [[GH-3498](https://github.com/hashicorp/consul/issues/3498)]
* **`advertise_addrs` Removed:** This configuration option was removed since it was redundant with `advertise_addr` and `advertise_addr_wan` in combination with `ports` and also wrongly stated that you could configure both host and port. [[GH-3516](https://github.com/hashicorp/consul/issues/3516)] * **`advertise_addrs` Removed:** This configuration option was removed since it was redundant with `advertise_addr` and `advertise_addr_wan` in combination with `ports` and also wrongly stated that you could configure both host and port. [[GH-3516](https://github.com/hashicorp/consul/issues/3516)]
* **Escaping Behavior Changed for go-discover Configs:** The format for [`-retry-join`](https://www.consul.io/docs/agent/options.html#retry-join) and [`-retry-join-wan`](https://www.consul.io/docs/agent/options.html#retry-join-wan) values that use [go-discover](https://github.com/hashicorp/go-discover) Cloud auto joining has changed. Values in `key=val` sequences must no longer be URL encoded and can be provided as literals as long as they do not contain spaces, backslashes `\` or double quotes `"`. If values contain these characters then use double quotes as in `"some key"="some value"`. Special characters within a double quoted string can be escaped with a backslash `\`. [[GH-3417](https://github.com/hashicorp/consul/issues/3417)] * **Escaping Behavior Changed for go-discover Configs:** The format for [`-retry-join`](https://www.consul.io/docs/agent/config/cli-flags.html#_retry_join) and [`-retry-join-wan`](https://www.consul.io/docs/agent/config/cli-flags.html#_retry_join_wan) values that use [go-discover](https://github.com/hashicorp/go-discover) Cloud auto joining has changed. Values in `key=val` sequences must no longer be URL encoded and can be provided as literals as long as they do not contain spaces, backslashes `\` or double quotes `"`. If values contain these characters then use double quotes as in `"some key"="some value"`. Special characters within a double quoted string can be escaped with a backslash `\`. [[GH-3417](https://github.com/hashicorp/consul/issues/3417)]
* **HTTP Verbs are Enforced in Many HTTP APIs:** Many endpoints in the HTTP API that previously took any HTTP verb now check for specific HTTP verbs and enforce them. This may break clients relying on the old behavior. [[GH-3405](https://github.com/hashicorp/consul/issues/3405)] * **HTTP Verbs are Enforced in Many HTTP APIs:** Many endpoints in the HTTP API that previously took any HTTP verb now check for specific HTTP verbs and enforce them. This may break clients relying on the old behavior. [[GH-3405](https://github.com/hashicorp/consul/issues/3405)]
<details><summary>Detailed List of Updated Endpoints and Required HTTP Verbs</summary> <details><summary>Detailed List of Updated Endpoints and Required HTTP Verbs</summary>
@ -2721,7 +2721,7 @@ BREAKING CHANGES:
FEATURES: FEATURES:
* **Support for HCL Config Files:** Consul now supports HashiCorp's [HCL](https://github.com/hashicorp/hcl#syntax) format for config files. This is easier to work with than JSON and supports comments. As part of this change, all config files will need to have either an `.hcl` or `.json` extension in order to specify their format. [[GH-3480](https://github.com/hashicorp/consul/issues/3480)] * **Support for HCL Config Files:** Consul now supports HashiCorp's [HCL](https://github.com/hashicorp/hcl#syntax) format for config files. This is easier to work with than JSON and supports comments. As part of this change, all config files will need to have either an `.hcl` or `.json` extension in order to specify their format. [[GH-3480](https://github.com/hashicorp/consul/issues/3480)]
* **Support for Binding to Multiple Addresses:** Consul now supports binding to multiple addresses for its HTTP, HTTPS, and DNS services. You can provide a space-separated list of addresses to [`-client`](https://www.consul.io/docs/agent/options.html#_client) and [`addresses`](https://www.consul.io/docs/agent/options.html#addresses) configurations, or specify a [go-sockaddr](https://godoc.org/github.com/hashicorp/go-sockaddr/template) template that resolves to multiple addresses. [[GH-3480](https://github.com/hashicorp/consul/issues/3480)] * **Support for Binding to Multiple Addresses:** Consul now supports binding to multiple addresses for its HTTP, HTTPS, and DNS services. You can provide a space-separated list of addresses to [`-client`](https://www.consul.io/docs/agent/config/cli-flags.html#_client) and [`addresses`](https://www.consul.io/docs/agent/config/config-files.html#addresses) configurations, or specify a [go-sockaddr](https://godoc.org/github.com/hashicorp/go-sockaddr/template) template that resolves to multiple addresses. [[GH-3480](https://github.com/hashicorp/consul/issues/3480)]
* **Support for RFC1464 DNS TXT records:** Consul DNS responses now contain the node meta data encoded according to RFC1464 as TXT records. [[GH-3343](https://github.com/hashicorp/consul/issues/3343)] * **Support for RFC1464 DNS TXT records:** Consul DNS responses now contain the node meta data encoded according to RFC1464 as TXT records. [[GH-3343](https://github.com/hashicorp/consul/issues/3343)]
* **Support for Running Subproccesses Directly Without a Shell:** Consul agent checks and watches now support an `args` configuration which is a list of arguments to run for the subprocess, which runs the subprocess directly without a shell. The old `script` and `handler` configurations are now deprecated (specify a shell explicitly if you require one). A `-shell=false` option is also available on `consul lock`, `consul watch`, and `consul exec` to run the subprocesses associated with those without a shell. [[GH-3509](https://github.com/hashicorp/consul/issues/3509)] * **Support for Running Subproccesses Directly Without a Shell:** Consul agent checks and watches now support an `args` configuration which is a list of arguments to run for the subprocess, which runs the subprocess directly without a shell. The old `script` and `handler` configurations are now deprecated (specify a shell explicitly if you require one). A `-shell=false` option is also available on `consul lock`, `consul watch`, and `consul exec` to run the subprocesses associated with those without a shell. [[GH-3509](https://github.com/hashicorp/consul/issues/3509)]
* **Sentinel Integration:** (Consul Enterprise) Consul's ACL system integrates with [Sentinel](https://www.consul.io/docs/guides/sentinel.html) to enable code policies that apply to KV writes. * **Sentinel Integration:** (Consul Enterprise) Consul's ACL system integrates with [Sentinel](https://www.consul.io/docs/guides/sentinel.html) to enable code policies that apply to KV writes.
@ -2732,7 +2732,7 @@ IMPROVEMENTS:
* agent: Improved /v1/operator/raft/configuration endpoint which allows Consul to avoid an extra agent RPC call for the `consul operator raft list-peers` command. [[GH-3449](https://github.com/hashicorp/consul/issues/3449)] * agent: Improved /v1/operator/raft/configuration endpoint which allows Consul to avoid an extra agent RPC call for the `consul operator raft list-peers` command. [[GH-3449](https://github.com/hashicorp/consul/issues/3449)]
* agent: Improved ACL system for the KV store to support list permissions. This behavior can be opted in. For more information, see the [ACL Guide](https://www.consul.io/docs/guides/acl.html#list-policy-for-keys). [[GH-3511](https://github.com/hashicorp/consul/issues/3511)] * agent: Improved ACL system for the KV store to support list permissions. This behavior can be opted in. For more information, see the [ACL Guide](https://www.consul.io/docs/guides/acl.html#list-policy-for-keys). [[GH-3511](https://github.com/hashicorp/consul/issues/3511)]
* agent: Updates miekg/dns library to later version to pick up bug fixes and improvements. [[GH-3547](https://github.com/hashicorp/consul/issues/3547)] * agent: Updates miekg/dns library to later version to pick up bug fixes and improvements. [[GH-3547](https://github.com/hashicorp/consul/issues/3547)]
* agent: Added automatic retries to the RPC path, and a brief RPC drain time when servers leave. These changes make Consul more robust during graceful leaves of Consul servers, such as during upgrades, and help shield applications from "no leader" errors. These are configured with new [`performance`](https://www.consul.io/docs/agent/options.html#performance) options. [[GH-3514](https://github.com/hashicorp/consul/issues/3514)] * agent: Added automatic retries to the RPC path, and a brief RPC drain time when servers leave. These changes make Consul more robust during graceful leaves of Consul servers, such as during upgrades, and help shield applications from "no leader" errors. These are configured with new [`performance`](https://www.consul.io/docs/agent/config/config-files.html#performance) options. [[GH-3514](https://github.com/hashicorp/consul/issues/3514)]
* agent: Added a new `discard_check_output` agent-level configuration option that can be used to trade off write load to the Consul servers vs. visibility of health check output. This is reloadable so it can be toggled without fully restarting the agent. [[GH-3562](https://github.com/hashicorp/consul/issues/3562)] * agent: Added a new `discard_check_output` agent-level configuration option that can be used to trade off write load to the Consul servers vs. visibility of health check output. This is reloadable so it can be toggled without fully restarting the agent. [[GH-3562](https://github.com/hashicorp/consul/issues/3562)]
* api: Updated the API client to ride out network errors when monitoring locks and semaphores. [[GH-3553](https://github.com/hashicorp/consul/issues/3553)] * api: Updated the API client to ride out network errors when monitoring locks and semaphores. [[GH-3553](https://github.com/hashicorp/consul/issues/3553)]
* build: Updated Go toolchain to version 1.9.1. [[GH-3537](https://github.com/hashicorp/consul/issues/3537)] * build: Updated Go toolchain to version 1.9.1. [[GH-3537](https://github.com/hashicorp/consul/issues/3537)]
@ -2760,7 +2760,7 @@ SECURITY:
FEATURES: FEATURES:
* **LAN Network Segments:** (Consul Enterprise) Added a new [Network Segments](https://www.consul.io/docs/guides/segments.html) capability which allows users to configure Consul to support segmented LAN topologies with multiple, distinct gossip pools. [[GH-3431](https://github.com/hashicorp/consul/issues/3431)] * **LAN Network Segments:** (Consul Enterprise) Added a new [Network Segments](https://www.consul.io/docs/guides/segments.html) capability which allows users to configure Consul to support segmented LAN topologies with multiple, distinct gossip pools. [[GH-3431](https://github.com/hashicorp/consul/issues/3431)]
* **WAN Join for Cloud Providers:** Added WAN support for retry join for Cloud providers via go-discover, including Amazon AWS, Microsoft Azure, Google Cloud, and SoftLayer. This uses the same "provider" syntax supported for `-retry-join` via the `-retry-join-wan` configuration. [[GH-3406](https://github.com/hashicorp/consul/issues/3406)] * **WAN Join for Cloud Providers:** Added WAN support for retry join for Cloud providers via go-discover, including Amazon AWS, Microsoft Azure, Google Cloud, and SoftLayer. This uses the same "provider" syntax supported for `-retry-join` via the `-retry-join-wan` configuration. [[GH-3406](https://github.com/hashicorp/consul/issues/3406)]
* **RPC Rate Limiter:** Consul agents in client mode have a new [`limits`](https://www.consul.io/docs/agent/options.html#limits) configuration that enables a rate limit on RPC calls the agent makes to Consul servers. [[GH-3140](https://github.com/hashicorp/consul/issues/3140)] * **RPC Rate Limiter:** Consul agents in client mode have a new [`limits`](https://www.consul.io/docs/agent/config/config-files.html#limits) configuration that enables a rate limit on RPC calls the agent makes to Consul servers. [[GH-3140](https://github.com/hashicorp/consul/issues/3140)]
IMPROVEMENTS: IMPROVEMENTS:
@ -2790,13 +2790,13 @@ BUG FIXES:
FEATURES: FEATURES:
* **Secure ACL Token Introduction:** It's now possible to manage Consul's ACL tokens without having to place any tokens inside configuration files. This supports introduction of tokens as well as rotating. This is enabled with two new APIs: * **Secure ACL Token Introduction:** It's now possible to manage Consul's ACL tokens without having to place any tokens inside configuration files. This supports introduction of tokens as well as rotating. This is enabled with two new APIs:
* A new [`/v1/agent/token`](https://www.consul.io/api/agent.html#update-acl-tokens) API allows an agent's ACL tokens to be introduced without placing them into config files, and to update them without restarting the agent. See the [ACL Guide](https://www.consul.io/docs/guides/acl.html#create-an-agent-token) for an example. This was extended to ACL replication as well, along with a new [`enable_acl_replication`](https://www.consul.io/docs/agent/options.html#enable_acl_replication) config option. [GH-3324,GH-3357] * A new [`/v1/agent/token`](https://www.consul.io/api/agent.html#update-acl-tokens) API allows an agent's ACL tokens to be introduced without placing them into config files, and to update them without restarting the agent. See the [ACL Guide](https://www.consul.io/docs/guides/acl.html#create-an-agent-token) for an example. This was extended to ACL replication as well, along with a new [`enable_acl_replication`](https://www.consul.io/docs/agent/config/config-files.html#enable_acl_replication) config option. [GH-3324,GH-3357]
* A new [`/v1/acl/bootstrap`](https://www.consul.io/api/acl.html#bootstrap-acls) allows a cluster's first management token to be created without using the `acl_master_token` configuration. See the [ACL Guide](https://www.consul.io/docs/guides/acl.html#bootstrapping-acls) for an example. [[GH-3349](https://github.com/hashicorp/consul/issues/3349)] * A new [`/v1/acl/bootstrap`](https://www.consul.io/api/acl.html#bootstrap-acls) allows a cluster's first management token to be created without using the `acl_master_token` configuration. See the [ACL Guide](https://www.consul.io/docs/guides/acl.html#bootstrapping-acls) for an example. [[GH-3349](https://github.com/hashicorp/consul/issues/3349)]
* **Metrics Viewing Endpoint:** A new [`/v1/agent/metrics`](https://www.consul.io/api/agent.html#view-metrics) API displays the current values of internally tracked metrics. [[GH-3369](https://github.com/hashicorp/consul/issues/3369)] * **Metrics Viewing Endpoint:** A new [`/v1/agent/metrics`](https://www.consul.io/api/agent.html#view-metrics) API displays the current values of internally tracked metrics. [[GH-3369](https://github.com/hashicorp/consul/issues/3369)]
IMPROVEMENTS: IMPROVEMENTS:
* agent: Retry Join for Amazon AWS, Microsoft Azure, Google Cloud, and (new) SoftLayer is now handled through the https://github.com/hashicorp/go-discover library. With this all `-retry-join-{ec2,azure,gce}-*` parameters have been deprecated in favor of a unified configuration. See [`-retry-join`](https://www.consul.io/docs/agent/options.html#_retry_join) for details. [GH-3282,GH-3351] * agent: Retry Join for Amazon AWS, Microsoft Azure, Google Cloud, and (new) SoftLayer is now handled through the https://github.com/hashicorp/go-discover library. With this all `-retry-join-{ec2,azure,gce}-*` parameters have been deprecated in favor of a unified configuration. See [`-retry-join`](https://www.consul.io/docs/agent/config/cli-flags.html#_retry_join) for details. [GH-3282,GH-3351]
* agent: Reports a more detailed error message if the LAN or WAN Serf instance fails to bind to an address. [[GH-3312](https://github.com/hashicorp/consul/issues/3312)] * agent: Reports a more detailed error message if the LAN or WAN Serf instance fails to bind to an address. [[GH-3312](https://github.com/hashicorp/consul/issues/3312)]
* agent: Added NS records and corrected SOA records to allow Consul's DNS interface to work properly with zone delegation. [[GH-1301](https://github.com/hashicorp/consul/issues/1301)] * agent: Added NS records and corrected SOA records to allow Consul's DNS interface to work properly with zone delegation. [[GH-1301](https://github.com/hashicorp/consul/issues/1301)]
* agent: Added support for sending metrics with labels/tags to supported backends. [[GH-3369](https://github.com/hashicorp/consul/issues/3369)] * agent: Added support for sending metrics with labels/tags to supported backends. [[GH-3369](https://github.com/hashicorp/consul/issues/3369)]
@ -2820,13 +2820,13 @@ BUG FIXES:
BREAKING CHANGES: BREAKING CHANGES:
* agent: Added a new [`enable_script_checks`](https://www.consul.io/docs/agent/options.html#_enable_script_checks) configuration option that defaults to `false`, meaning that in order to allow an agent to run health checks that execute scripts, this will need to be configured and set to `true`. This provides a safer out-of-the-box configuration for Consul where operators must opt-in to allow script-based health checks. [[GH-3087](https://github.com/hashicorp/consul/issues/3087)] * agent: Added a new [`enable_script_checks`](https://www.consul.io/docs/agent/config/cli-flags.html#_enable_script_checks) configuration option that defaults to `false`, meaning that in order to allow an agent to run health checks that execute scripts, this will need to be configured and set to `true`. This provides a safer out-of-the-box configuration for Consul where operators must opt-in to allow script-based health checks. [[GH-3087](https://github.com/hashicorp/consul/issues/3087)]
* api: Reworked `context` support in the API client to more closely match the Go standard library, and added context support to write requests in addition to read requests. [GH-3273, GH-2992] * api: Reworked `context` support in the API client to more closely match the Go standard library, and added context support to write requests in addition to read requests. [GH-3273, GH-2992]
* ui: Since the UI is now bundled with the application we no longer provide a separate UI package for downloading. [[GH-3292](https://github.com/hashicorp/consul/issues/3292)] * ui: Since the UI is now bundled with the application we no longer provide a separate UI package for downloading. [[GH-3292](https://github.com/hashicorp/consul/issues/3292)]
FEATURES: FEATURES:
* agent: Added a new [`block_endpoints`](https://www.consul.io/docs/agent/options.html#block_endpoints) configuration option that allows blocking HTTP API endpoints by prefix. This allows operators to completely disallow access to specific endpoints on a given agent. [[GH-3252](https://github.com/hashicorp/consul/issues/3252)] * agent: Added a new [`block_endpoints`](https://www.consul.io/docs/agent/config/config-files.html#block_endpoints) configuration option that allows blocking HTTP API endpoints by prefix. This allows operators to completely disallow access to specific endpoints on a given agent. [[GH-3252](https://github.com/hashicorp/consul/issues/3252)]
* cli: Added a new [`consul catalog`](https://www.consul.io/docs/commands/catalog.html) command for reading datacenters, nodes, and services from the catalog. [[GH-3204](https://github.com/hashicorp/consul/issues/3204)] * cli: Added a new [`consul catalog`](https://www.consul.io/docs/commands/catalog.html) command for reading datacenters, nodes, and services from the catalog. [[GH-3204](https://github.com/hashicorp/consul/issues/3204)]
* server: (Consul Enterprise) Added a new [`consul operator area update`](https://www.consul.io/docs/commands/operator/area.html#update) command and corresponding HTTP endpoint to allow for transitioning the TLS setting of network areas at runtime. [[GH-3075](https://github.com/hashicorp/consul/issues/3075)] * server: (Consul Enterprise) Added a new [`consul operator area update`](https://www.consul.io/docs/commands/operator/area.html#update) command and corresponding HTTP endpoint to allow for transitioning the TLS setting of network areas at runtime. [[GH-3075](https://github.com/hashicorp/consul/issues/3075)]
* server: (Consul Enterprise) Added a new `UpgradeVersionTag` field to the Autopilot config to allow for using the migration feature to roll out configuration or cluster changes, without having to upgrade Consul itself. * server: (Consul Enterprise) Added a new `UpgradeVersionTag` field to the Autopilot config to allow for using the migration feature to roll out configuration or cluster changes, without having to upgrade Consul itself.
@ -2854,7 +2854,7 @@ BUG FIXES:
* agent: Fixed an issue in the Docker client where Docker checks would get EOF errors trying to connect to a volume-mounted Docker socket. [[GH-3254](https://github.com/hashicorp/consul/issues/3254)] * agent: Fixed an issue in the Docker client where Docker checks would get EOF errors trying to connect to a volume-mounted Docker socket. [[GH-3254](https://github.com/hashicorp/consul/issues/3254)]
* agent: Fixed a crash when using Azure auto discovery. [[GH-3193](https://github.com/hashicorp/consul/issues/3193)] * agent: Fixed a crash when using Azure auto discovery. [[GH-3193](https://github.com/hashicorp/consul/issues/3193)]
* agent: Added `node` read privileges to the `acl_agent_master_token` by default so it can see all nodes, which enables it to be used with operations like `consul members`. [[GH-3113](https://github.com/hashicorp/consul/issues/3113)] * agent: Added `node` read privileges to the `acl_agent_master_token` by default so it can see all nodes, which enables it to be used with operations like `consul members`. [[GH-3113](https://github.com/hashicorp/consul/issues/3113)]
* agent: Fixed an issue where enabling [`-disable-keyring-file`](https://www.consul.io/docs/agent/options.html#_disable_keyring_file) would cause gossip encryption to be disabled. [[GH-3243](https://github.com/hashicorp/consul/issues/3243)] * agent: Fixed an issue where enabling [`-disable-keyring-file`](https://www.consul.io/docs/agent/config/cli-flags.html#_disable_keyring_file) would cause gossip encryption to be disabled. [[GH-3243](https://github.com/hashicorp/consul/issues/3243)]
* agent: Fixed a race condition where checks that are not associated with any existing services were allowed to persist. [[GH-3297](https://github.com/hashicorp/consul/issues/3297)] * agent: Fixed a race condition where checks that are not associated with any existing services were allowed to persist. [[GH-3297](https://github.com/hashicorp/consul/issues/3297)]
* agent: Stop docker checks on service deregistration and on shutdown. [GH-3265, GH-3295] * agent: Stop docker checks on service deregistration and on shutdown. [GH-3265, GH-3295]
* server: Updated the Raft library to pull in a fix where servers that are very far behind in replication can get stuck in a loop trying to install snapshots. [[GH-3201](https://github.com/hashicorp/consul/issues/3201)] * server: Updated the Raft library to pull in a fix where servers that are very far behind in replication can get stuck in a loop trying to install snapshots. [[GH-3201](https://github.com/hashicorp/consul/issues/3201)]
@ -2871,7 +2871,7 @@ BUG FIXES:
BREAKING CHANGES: BREAKING CHANGES:
* agent: Parse values given to `?passing` for health endpoints. Previously Consul only checked for the existence of the querystring, not the value. That means using `?passing=false` would actually still include passing values. Consul now parses the value given to passing as a boolean. If no value is provided, the old behavior remains. This may be a breaking change for some users, but the old experience was incorrect and caused enough confusion to warrant changing it. [GH-2212, GH-3136] * agent: Parse values given to `?passing` for health endpoints. Previously Consul only checked for the existence of the querystring, not the value. That means using `?passing=false` would actually still include passing values. Consul now parses the value given to passing as a boolean. If no value is provided, the old behavior remains. This may be a breaking change for some users, but the old experience was incorrect and caused enough confusion to warrant changing it. [GH-2212, GH-3136]
* agent: The default value of [`-disable-host-node-id`](https://www.consul.io/docs/agent/options.html#_disable_host_node_id) has been changed from false to true. This means you need to opt-in to host-based node IDs and by default Consul will generate a random node ID. A high number of users struggled to deploy newer versions of Consul with host-based IDs because of various edge cases of how the host IDs work in Docker, on specially-provisioned machines, etc. so changing this from opt-out to opt-in will ease operations for many Consul users. [[GH-3171](https://github.com/hashicorp/consul/issues/3171)] * agent: The default value of [`-disable-host-node-id`](https://www.consul.io/docs/agent/config/cli-flags.html#_disable_host_node_id) has been changed from false to true. This means you need to opt-in to host-based node IDs and by default Consul will generate a random node ID. A high number of users struggled to deploy newer versions of Consul with host-based IDs because of various edge cases of how the host IDs work in Docker, on specially-provisioned machines, etc. so changing this from opt-out to opt-in will ease operations for many Consul users. [[GH-3171](https://github.com/hashicorp/consul/issues/3171)]
IMPROVEMENTS: IMPROVEMENTS:

View File

@ -841,7 +841,7 @@ type RuntimeConfig struct {
// PrimaryGateways is a list of addresses and/or go-discover expressions to // PrimaryGateways is a list of addresses and/or go-discover expressions to
// discovery the mesh gateways in the primary datacenter. See // discovery the mesh gateways in the primary datacenter. See
// https://www.consul.io/docs/agent/options.html#cloud-auto-joining for // https://www.consul.io/docs/agent/config/cli-flags.html#cloud-auto-joining for
// details. // details.
// //
// hcl: primary_gateways = []string // hcl: primary_gateways = []string
@ -997,7 +997,7 @@ type RuntimeConfig struct {
// RetryJoinLAN is a list of addresses and/or go-discover expressions to // RetryJoinLAN is a list of addresses and/or go-discover expressions to
// join with retry enabled. See // join with retry enabled. See
// https://www.consul.io/docs/agent/options.html#cloud-auto-joining for // https://www.consul.io/docs/agent/config/cli-flags.html#cloud-auto-joining for
// details. // details.
// //
// hcl: retry_join = []string // hcl: retry_join = []string
@ -1022,7 +1022,7 @@ type RuntimeConfig struct {
// RetryJoinWAN is a list of addresses and/or go-discover expressions to // RetryJoinWAN is a list of addresses and/or go-discover expressions to
// join -wan with retry enabled. See // join -wan with retry enabled. See
// https://www.consul.io/docs/agent/options.html#cloud-auto-joining for // https://www.consul.io/docs/agent/config/cli-flags.html#cloud-auto-joining for
// details. // details.
// //
// hcl: retry_join_wan = []string // hcl: retry_join_wan = []string

View File

@ -1537,7 +1537,7 @@ const peersInfoContent = `
As of Consul 0.7.0, the peers.json file is only used for recovery As of Consul 0.7.0, the peers.json file is only used for recovery
after an outage. The format of this file depends on what the server has after an outage. The format of this file depends on what the server has
configured for its Raft protocol version. Please see the agent configuration configured for its Raft protocol version. Please see the agent configuration
page at https://www.consul.io/docs/agent/options.html#_raft_protocol for more page at https://www.consul.io/docs/agent/config/cli-flags.html#_raft_protocol for more
details about this parameter. details about this parameter.
For Raft protocol version 2 and earlier, this should be formatted as a JSON For Raft protocol version 2 and earlier, this should be formatted as a JSON

View File

@ -208,10 +208,20 @@ func (s *HTTPHandlers) KVSPut(resp http.ResponseWriter, req *http.Request, args
// Check the content-length // Check the content-length
if req.ContentLength > int64(s.agent.config.KVMaxValueSize) { if req.ContentLength > int64(s.agent.config.KVMaxValueSize) {
<<<<<<< HEAD
return nil, EntityTooLargeError{ return nil, EntityTooLargeError{
Reason: fmt.Sprintf("Request body(%d bytes) too large, max size: %d bytes. See %s.", Reason: fmt.Sprintf("Request body(%d bytes) too large, max size: %d bytes. See %s.",
req.ContentLength, s.agent.config.KVMaxValueSize, "https://www.consul.io/docs/agent/options.html#kv_max_value_size"), req.ContentLength, s.agent.config.KVMaxValueSize, "https://www.consul.io/docs/agent/options.html#kv_max_value_size"),
} }
=======
resp.WriteHeader(http.StatusRequestEntityTooLarge)
fmt.Fprintf(resp,
"Request body(%d bytes) too large, max size: %d bytes. See %s.",
req.ContentLength, s.agent.config.KVMaxValueSize,
"https://www.consul.io/docs/agent/config/config-files.html#kv_max_value_size",
)
return nil, nil
>>>>>>> cd907b75cebdefe62a30986e0cdc7bd528c52159
} }
// Copy the value // Copy the value

View File

@ -87,10 +87,20 @@ func (s *HTTPHandlers) convertOps(resp http.ResponseWriter, req *http.Request) (
// Check Content-Length first before decoding to return early // Check Content-Length first before decoding to return early
if req.ContentLength > maxTxnLen { if req.ContentLength > maxTxnLen {
<<<<<<< HEAD
return nil, 0, EntityTooLargeError{ return nil, 0, EntityTooLargeError{
Reason: fmt.Sprintf("Request body(%d bytes) too large, max size: %d bytes. See %s.", Reason: fmt.Sprintf("Request body(%d bytes) too large, max size: %d bytes. See %s.",
req.ContentLength, maxTxnLen, "https://www.consul.io/docs/agent/options.html#txn_max_req_len"), req.ContentLength, maxTxnLen, "https://www.consul.io/docs/agent/options.html#txn_max_req_len"),
} }
=======
resp.WriteHeader(http.StatusRequestEntityTooLarge)
fmt.Fprintf(resp,
"Request body(%d bytes) too large, max size: %d bytes. See %s.",
req.ContentLength, maxTxnLen,
"https://www.consul.io/docs/agent/config/config-files.html#txn_max_req_len",
)
return nil, 0, false
>>>>>>> cd907b75cebdefe62a30986e0cdc7bd528c52159
} }
var ops api.TxnOps var ops api.TxnOps
@ -99,10 +109,19 @@ func (s *HTTPHandlers) convertOps(resp http.ResponseWriter, req *http.Request) (
if err.Error() == "http: request body too large" { if err.Error() == "http: request body too large" {
// The request size is also verified during decoding to double check // The request size is also verified during decoding to double check
// if the Content-Length header was not set by the client. // if the Content-Length header was not set by the client.
<<<<<<< HEAD
return nil, 0, EntityTooLargeError{ return nil, 0, EntityTooLargeError{
Reason: fmt.Sprintf("Request body too large, max size: %d bytes. See %s.", Reason: fmt.Sprintf("Request body too large, max size: %d bytes. See %s.",
maxTxnLen, "https://www.consul.io/docs/agent/options.html#txn_max_req_len"), maxTxnLen, "https://www.consul.io/docs/agent/options.html#txn_max_req_len"),
} }
=======
resp.WriteHeader(http.StatusRequestEntityTooLarge)
fmt.Fprintf(resp,
"Request body too large, max size: %d bytes. See %s.",
maxTxnLen,
"https://www.consul.io/docs/agent/config/config-files.html#txn_max_req_len",
)
>>>>>>> cd907b75cebdefe62a30986e0cdc7bd528c52159
} else { } else {
// Note the body is in API format, and not the RPC format. If we can't // Note the body is in API format, and not the RPC format. If we can't
// decode it, we will return a 400 since we don't have enough context to // decode it, we will return a 400 since we don't have enough context to

View File

@ -35,7 +35,7 @@ Every Consul Enterprise server maintains a reconciliation routine where every 30
Joining a network area pool involves: Joining a network area pool involves:
1. Setting memberlist and Serf configuration. 1. Setting memberlist and Serf configuration.
* Prior to Consul `v1.8.11` and `v1.9.5`, network areas were configured with memberlist's [DefaultWANConfig](https://github.com/hashicorp/memberlist/blob/838073fef1a4e1f6cb702a57a8075304098b1c31/config.go#L315). This was then updated to instead use the server's [gossip_wan](https://www.consul.io/docs/agent/options#gossip_wan) configuration, which falls back to the DefaultWANConfig if it was not specified. * Prior to Consul `v1.8.11` and `v1.9.5`, network areas were configured with memberlist's [DefaultWANConfig](https://github.com/hashicorp/memberlist/blob/838073fef1a4e1f6cb702a57a8075304098b1c31/config.go#L315). This was then updated to instead use the server's [gossip_wan](https://www.consul.io/docs/agent/config/config-files#gossip_wan) configuration, which falls back to the DefaultWANConfig if it was not specified.
* As of Consul `v1.8.11`/`v1.9.5` it is not possible to tune gossip communication on a per-area basis. * As of Consul `v1.8.11`/`v1.9.5` it is not possible to tune gossip communication on a per-area basis.
2. Update the server's gossip network, which keeps track of network areas that the server is a part of. This gossip network is also used to dispatch incoming **gossip** connections to handlers for the appropriate area. 2. Update the server's gossip network, which keeps track of network areas that the server is a part of. This gossip network is also used to dispatch incoming **gossip** connections to handlers for the appropriate area.

View File

@ -10,10 +10,10 @@ specified using command line flags, and some can be loaded with [Auto-Config].
See also the [checklist for adding a new field] to the configuration. See also the [checklist for adding a new field] to the configuration.
[hcl]: https://github.com/hashicorp/hcl/tree/hcl1 [hcl]: https://github.com/hashicorp/hcl/tree/hcl1
[Agent Configuration]: https://www.consul.io/docs/agent/options [Agent Configuration]: https://www.consul.io/docs/agent/config
[checklist for adding a new field]: ./checklist-adding-config-fields.md [checklist for adding a new field]: ./checklist-adding-config-fields.md
[Auto-Config]: #auto-config [Auto-Config]: #auto-config
[Config Entries]: https://www.consul.io/docs/agent/options#config_entries [Config Entries]: https://www.consul.io/docs/agent/config/config-files#config_entries
[Services]: https://www.consul.io/docs/discovery/services [Services]: https://www.consul.io/docs/discovery/services
[Checks]: https://www.consul.io/docs/discovery/checks [Checks]: https://www.consul.io/docs/discovery/checks
@ -53,6 +53,6 @@ implemented in a couple packages.
* the server RPC endpoint is in [agent/consul/auto_config_endpoint.go] * the server RPC endpoint is in [agent/consul/auto_config_endpoint.go]
* the client that receives and applies the config is implemented in [agent/auto-config] * the client that receives and applies the config is implemented in [agent/auto-config]
[auto_config]: https://www.consul.io/docs/agent/options#auto_config [auto_config]: https://www.consul.io/docs/agent/config/config-files#auto_config
[agent/consul/auto_config_endpoint.go]: https://github.com/hashicorp/consul/blob/main/agent/consul/auto_config_endpoint.go [agent/consul/auto_config_endpoint.go]: https://github.com/hashicorp/consul/blob/main/agent/consul/auto_config_endpoint.go
[agent/auto-config]: https://github.com/hashicorp/consul/tree/main/agent/auto-config [agent/auto-config]: https://github.com/hashicorp/consul/tree/main/agent/auto-config

View File

@ -55,7 +55,7 @@ There are four specific cases covered with increasing complexity:
state for client agent's RPC client. state for client agent's RPC client.
- [ ] Add a test to `agent/agent_test.go` similar to others with prefix - [ ] Add a test to `agent/agent_test.go` similar to others with prefix
`TestAgent_reloadConfig*`. `TestAgent_reloadConfig*`.
- [ ] Add documentation to `website/content/docs/agent/options.mdx`. - [ ] Add documentation to `website/content/docs/agent/config/config-files.mdx`.
Done! You can now use your new field in a client agent by accessing Done! You can now use your new field in a client agent by accessing
`s.agent.Config.<FieldName>`. `s.agent.Config.<FieldName>`.
@ -75,7 +75,7 @@ If the config field also needs a CLI flag, then follow these steps.
`TestLoad_IntegrationWithFlags` in `agent/config/runtime_test.go` to ensure setting the `TestLoad_IntegrationWithFlags` in `agent/config/runtime_test.go` to ensure setting the
flag works. flag works.
- [ ] Add flag (as well as config file) documentation to - [ ] Add flag (as well as config file) documentation to
`website/source/docs/agent/options.html.md`. `website/source/docs/agent/config/config-files.mdx` and `website/source/docs/agent/config/cli-flags.mdx`.
## Adding a Simple Config Field for Servers ## Adding a Simple Config Field for Servers
Consul servers have a separate Config struct for reasons. Note that Consul Consul servers have a separate Config struct for reasons. Note that Consul

View File

@ -22,7 +22,7 @@ The "RPC Server" accepts requests to the [server port] and routes the requests b
configuration of the Server and the the first byte in the request. The diagram below shows configuration of the Server and the the first byte in the request. The diagram below shows
all the possible routing flows. all the possible routing flows.
[server port]: https://www.consul.io/docs/agent/options#server_rpc_port [server port]: https://www.consul.io/docs/agent/config/config-files#server_rpc_port
![RPC Routing](./routing.svg) ![RPC Routing](./routing.svg)

View File

@ -16,7 +16,7 @@ the [ACL tutorial](https://learn.hashicorp.com/tutorials/consul/access-control-s
## Bootstrap ACLs ## Bootstrap ACLs
This endpoint does a special one-time bootstrap of the ACL system, making the first This endpoint does a special one-time bootstrap of the ACL system, making the first
management token if the [`acl.tokens.initial_management`](/docs/agent/options#acl_tokens_initial_management) management token if the [`acl.tokens.initial_management`](/docs/agent/config/config-files#acl_tokens_initial_management)
configuration entry is not specified in the Consul server configuration and if the configuration entry is not specified in the Consul server configuration and if the
cluster has not been bootstrapped previously. This is available in Consul 0.9.1 and later, cluster has not been bootstrapped previously. This is available in Consul 0.9.1 and later,
and requires all Consul servers to be upgraded in order to operate. and requires all Consul servers to be upgraded in order to operate.
@ -143,7 +143,7 @@ $ curl \
- `SourceDatacenter` - The authoritative ACL datacenter that ACLs are being - `SourceDatacenter` - The authoritative ACL datacenter that ACLs are being
replicated from and will match the replicated from and will match the
[`primary_datacenter`](/docs/agent/options#primary_datacenter) configuration. [`primary_datacenter`](/docs/agent/config/config-files#primary_datacenter) configuration.
- `ReplicationType` - The type of replication that is currently in use. - `ReplicationType` - The type of replication that is currently in use.
@ -295,7 +295,7 @@ The table below shows this endpoint's support for
-> **Note** - To use the login process to create tokens in any connected -> **Note** - To use the login process to create tokens in any connected
secondary datacenter, [ACL secondary datacenter, [ACL
replication](/docs/agent/options#acl_enable_token_replication) must be replication](/docs/agent/config/config-files#acl_enable_token_replication) must be
enabled. Login requires the ability to create local tokens which is restricted enabled. Login requires the ability to create local tokens which is restricted
to the primary datacenter and any secondary datacenters with ACL token to the primary datacenter and any secondary datacenters with ACL token
replication enabled. replication enabled.
@ -425,7 +425,7 @@ The table below shows this endpoint's support for
-> **Note** - To use the login process to create tokens in any connected -> **Note** - To use the login process to create tokens in any connected
secondary datacenter, [ACL secondary datacenter, [ACL
replication](/docs/agent/options#acl_enable_token_replication) must be replication](/docs/agent/config/config-files#acl_enable_token_replication) must be
enabled. Login requires the ability to create local tokens which is restricted enabled. Login requires the ability to create local tokens which is restricted
to the primary datacenter and any secondary datacenters with ACL token to the primary datacenter and any secondary datacenters with ACL token
replication enabled. replication enabled.
@ -505,7 +505,7 @@ The table below shows this endpoint's support for
-> **Note** - To use the login process to create tokens in any connected -> **Note** - To use the login process to create tokens in any connected
secondary datacenter, [ACL secondary datacenter, [ACL
replication](/docs/agent/options#acl_enable_token_replication) must be replication](/docs/agent/config/config-files#acl_enable_token_replication) must be
enabled. Login requires the ability to create local tokens which is restricted enabled. Login requires the ability to create local tokens which is restricted
to the primary datacenter and any secondary datacenters with ACL token to the primary datacenter and any secondary datacenters with ACL token
replication enabled. replication enabled.

View File

@ -358,7 +358,7 @@ This endpoint instructs the agent to reload its configuration. Any errors
encountered during this process are returned. encountered during this process are returned.
Not all configuration options are reloadable. See the Not all configuration options are reloadable. See the
[Reloadable Configuration](/docs/agent/options#reloadable-configuration) [Reloadable Configuration](/docs/agent/config#reloadable-configuration)
section on the agent options page for details on which options are supported. section on the agent options page for details on which options are supported.
| Method | Path | Produces | | Method | Path | Produces |
@ -438,7 +438,7 @@ page.
In order to enable [Prometheus](https://prometheus.io/) support, you need to use the In order to enable [Prometheus](https://prometheus.io/) support, you need to use the
configuration directive configuration directive
[`prometheus_retention_time`](/docs/agent/options#telemetry-prometheus_retention_time). [`prometheus_retention_time`](/docs/agent/config/config-files#telemetry-prometheus_retention_time).
Since Consul 1.7.2 this endpoint will also automatically switch output format if Since Consul 1.7.2 this endpoint will also automatically switch output format if
the request contains an `Accept` header with a compatible MIME type such as the request contains an `Accept` header with a compatible MIME type such as
@ -743,7 +743,7 @@ $ curl \
This endpoint updates the ACL tokens currently in use by the agent. It can be This endpoint updates the ACL tokens currently in use by the agent. It can be
used to introduce ACL tokens to the agent for the first time, or to update used to introduce ACL tokens to the agent for the first time, or to update
tokens that were initially loaded from the agent's configuration. Tokens will be persisted tokens that were initially loaded from the agent's configuration. Tokens will be persisted
only if the [`acl.enable_token_persistence`](/docs/agent/options#acl_enable_token_persistence) only if the [`acl.enable_token_persistence`](/docs/agent/config/config-files#acl_enable_token_persistence)
configuration is `true`. When not being persisted, they will need to be reset if the agent configuration is `true`. When not being persisted, they will need to be reset if the agent
is restarted. is restarted.
@ -755,9 +755,9 @@ is restarted.
| `PUT` | `/agent/token/replication` | `application/json` | | `PUT` | `/agent/token/replication` | `application/json` |
The paths above correspond to the token names as found in the agent configuration: The paths above correspond to the token names as found in the agent configuration:
[`default`](/docs/agent/options#acl_tokens_default), [`agent`](/docs/agent/options#acl_tokens_agent), [`default`](/docs/agent/config/config-files#acl_tokens_default), [`agent`](/docs/agent/config/config-files#acl_tokens_agent),
[`agent_recovery`](/docs/agent/options#acl_tokens_agent_recovery), and [`agent_recovery`](/docs/agent/config/config-files#acl_tokens_agent_recovery), and
[`replication`](/docs/agent/options#acl_tokens_replication). [`replication`](/docs/agent/config/config-files#acl_tokens_replication).
-> **Deprecation Note:** The following paths were deprecated in version 1.11 -> **Deprecation Note:** The following paths were deprecated in version 1.11
@ -766,7 +766,7 @@ The paths above correspond to the token names as found in the agent configuratio
| `PUT` | `/agent/token/agent_master` | `application/json` | | `PUT` | `/agent/token/agent_master` | `application/json` |
The paths above correspond to the token names as found in the agent configuration: The paths above correspond to the token names as found in the agent configuration:
[`agent_master`](/docs/agent/options#acl_tokens_agent_master). [`agent_master`](/docs/agent/config/config-files#acl_tokens_agent_master).
-> **Deprecation Note:** The following paths were deprecated in version 1.4.3 -> **Deprecation Note:** The following paths were deprecated in version 1.4.3
@ -778,9 +778,9 @@ The paths above correspond to the token names as found in the agent configuratio
| `PUT` | `/agent/token/acl_replication_token` | `application/json` | | `PUT` | `/agent/token/acl_replication_token` | `application/json` |
The paths above correspond to the token names as found in the agent configuration: The paths above correspond to the token names as found in the agent configuration:
[`acl_token`](/docs/agent/options#acl_token_legacy), [`acl_agent_token`](/docs/agent/options#acl_agent_token_legacy), [`acl_token`](/docs/agent/config/config-files#acl_token_legacy), [`acl_agent_token`](/docs/agent/config/config-files#acl_agent_token_legacy),
[`acl_agent_master_token`](/docs/agent/options#acl_agent_master_token_legacy), and [`acl_agent_master_token`](/docs/agent/config/config-files#acl_agent_master_token_legacy), and
[`acl_replication_token`](/docs/agent/options#acl_replication_token_legacy). [`acl_replication_token`](/docs/agent/config/config-files#acl_replication_token_legacy).
The table below shows this endpoint's support for The table below shows this endpoint's support for
[blocking queries](/api/features/blocking), [blocking queries](/api/features/blocking),

View File

@ -10,7 +10,7 @@ description: |-
The `/config` endpoints create, update, delete and query central configuration The `/config` endpoints create, update, delete and query central configuration
entries registered with Consul. See the entries registered with Consul. See the
[agent configuration](/docs/agent/options#enable_central_service_config) [agent configuration](/docs/agent/config/config-files#enable_central_service_config)
for more information on how to enable this functionality for centrally for more information on how to enable this functionality for centrally
configuring services and [configuration entries docs](/docs/agent/config-entries) for a description configuring services and [configuration entries docs](/docs/agent/config-entries) for a description
of the configuration entries content. of the configuration entries content.

View File

@ -96,7 +96,7 @@ The corresponding CLI command is [`consul intention create -replace`](/commands/
evaluation. As with L4 intentions, traffic that fails to match any of the evaluation. As with L4 intentions, traffic that fails to match any of the
provided permissions in this intention will be subject to the default provided permissions in this intention will be subject to the default
intention behavior is defined by the default [ACL intention behavior is defined by the default [ACL
policy](/docs/agent/options#acl_default_policy). policy](/docs/agent/config/config-files#acl_default_policy).
This should be omitted for an L4 intention as it is mutually exclusive with This should be omitted for an L4 intention as it is mutually exclusive with
the `Action` field. the `Action` field.

View File

@ -235,7 +235,7 @@ The table below shows this endpoint's support for
ascending order based on the estimated round trip time from that node. Passing ascending order based on the estimated round trip time from that node. Passing
`?near=_agent` will use the agent's node for the sort. This is specified as `?near=_agent` will use the agent's node for the sort. This is specified as
part of the URL as a query parameter. **Note** that using `near` will ignore part of the URL as a query parameter. **Note** that using `near` will ignore
[`use_streaming_backend`](/docs/agent/options#use_streaming_backend) and always [`use_streaming_backend`](/docs/agent/config/config-files#use_streaming_backend) and always
use blocking queries, because the data required to sort the results is not available use blocking queries, because the data required to sort the results is not available
to the streaming backend. to the streaming backend.

View File

@ -83,7 +83,7 @@ $ curl \
Consul 0.7 added the ability to translate addresses in HTTP response based on Consul 0.7 added the ability to translate addresses in HTTP response based on
the configuration setting for the configuration setting for
[`translate_wan_addrs`](/docs/agent/options#translate_wan_addrs). In order [`translate_wan_addrs`](/docs/agent/config/config-files#translate_wan_addrs). In order
to allow clients to know if address translation is in effect, the to allow clients to know if address translation is in effect, the
`X-Consul-Translate-Addresses` header will be added if translation is enabled, `X-Consul-Translate-Addresses` header will be added if translation is enabled,
and will have a value of `true`. If translation is not enabled then this header and will have a value of `true`. If translation is not enabled then this header
@ -94,7 +94,7 @@ will not be present.
All API responses for Consul versions after 1.9 will include an HTTP response All API responses for Consul versions after 1.9 will include an HTTP response
header `X-Consul-Default-ACL-Policy` set to either "allow" or "deny" which header `X-Consul-Default-ACL-Policy` set to either "allow" or "deny" which
mirrors the current value of the agent's mirrors the current value of the agent's
[`acl.default_policy`](/docs/agent/options#acl_default_policy) option. [`acl.default_policy`](/docs/agent/config/config-files#acl_default_policy) option.
This is also the default [intention](/docs/connect/intentions) enforcement This is also the default [intention](/docs/connect/intentions) enforcement
action if no intention matches. action if no intention matches.

View File

@ -69,7 +69,7 @@ $ curl \
``` ```
For more information about the Autopilot configuration options, see the For more information about the Autopilot configuration options, see the
[agent configuration section](/docs/agent/options#autopilot). [agent configuration section](/docs/agent/config/config-files#autopilot).
## Update Configuration ## Update Configuration

View File

@ -12,7 +12,7 @@ Corresponding HTTP API Endpoint: [\[PUT\] /v1/agent/token/:type](/api-docs/agent
This command updates the ACL tokens currently in use by the agent. It can be used to introduce This command updates the ACL tokens currently in use by the agent. It can be used to introduce
ACL tokens to the agent for the first time, or to update tokens that were initially loaded from ACL tokens to the agent for the first time, or to update tokens that were initially loaded from
the agent's configuration. Tokens are not persisted unless the agent's configuration. Tokens are not persisted unless
[`acl.enable_token_persistence`](/docs/agent/options#acl_enable_token_persistence) [`acl.enable_token_persistence`](/docs/agent/config/config-files#acl_enable_token_persistence)
is `true`, so tokens will need to be updated again if that option is `false` and is `true`, so tokens will need to be updated again if that option is `false` and
the agent is restarted. the agent is restarted.

View File

@ -10,7 +10,7 @@ Command: `consul config`
The `config` command is used to interact with Consul's central configuration The `config` command is used to interact with Consul's central configuration
system. It exposes commands for creating, updating, reading, and deleting system. It exposes commands for creating, updating, reading, and deleting
different kinds of config entries. See the different kinds of config entries. See the
[agent configuration](/docs/agent/options#enable_central_service_config) [agent configuration](/docs/agent/config/config-files#enable_central_service_config)
for more information on how to enable this functionality for centrally for more information on how to enable this functionality for centrally
configuring services and [configuration entries docs](/docs/agent/config-entries) for a description configuring services and [configuration entries docs](/docs/agent/config-entries) for a description
of the configuration entries content. of the configuration entries content.

View File

@ -42,7 +42,7 @@ proxy configuration needed.
be used instead. The scheme can also be set to HTTPS by setting the be used instead. The scheme can also be set to HTTPS by setting the
environment variable CONSUL_HTTP_SSL=true. This may be a unix domain socket environment variable CONSUL_HTTP_SSL=true. This may be a unix domain socket
using `unix:///path/to/socket` if the [agent is configured to using `unix:///path/to/socket` if the [agent is configured to
listen](/docs/agent/options#addresses) that way. listen](/docs/agent/config/config-files#addresses) that way.
-> **Note:** gRPC uses the same TLS -> **Note:** gRPC uses the same TLS
settings as the HTTPS API. If HTTPS is enabled then gRPC will require HTTPS settings as the HTTPS API. If HTTPS is enabled then gRPC will require HTTPS

View File

@ -78,7 +78,7 @@ information when `debug` is running. By default, it captures all information.
| `members` | A list of all the WAN and LAN members in the cluster. | | `members` | A list of all the WAN and LAN members in the cluster. |
| `metrics` | Metrics from the in-memory metrics endpoint in the target, captured at the interval. | | `metrics` | Metrics from the in-memory metrics endpoint in the target, captured at the interval. |
| `logs` | `DEBUG` level logs for the target agent, captured for the duration. | | `logs` | `DEBUG` level logs for the target agent, captured for the duration. |
| `pprof` | Golang heap, CPU, goroutine, and trace profiling. CPU profile is captured for `duration` in a single file, trace is captured for a single `interval`, while heap and goroutine are separate snapshots for each `interval`. This information is not retrieved unless [`enable_debug`](/docs/agent/options#enable_debug) is set to `true` on the target agent or ACLs are enable and an ACL token with `operator:read` is provided. | | `pprof` | Golang heap, CPU, goroutine, and trace profiling. CPU and traces are captured for `duration` in a single file while heap and goroutine are separate snapshots for each `interval`. This information is not retrieved unless [`enable_debug`](/docs/agent/config/config-files#enable_debug) is set to `true` on the target agent or ACLs are enable and an ACL token with `operator:read` is provided. |
## Examples ## Examples

View File

@ -235,7 +235,7 @@ CONSUL_TLS_SERVER_NAME=consulserver.domain
Like [`CONSUL_HTTP_ADDR`](#consul_http_addr) but configures the address the Like [`CONSUL_HTTP_ADDR`](#consul_http_addr) but configures the address the
local agent is listening for gRPC requests. Currently gRPC is only used for local agent is listening for gRPC requests. Currently gRPC is only used for
integrating [Envoy proxy](/docs/connect/proxies/envoy) and must be [enabled integrating [Envoy proxy](/docs/connect/proxies/envoy) and must be [enabled
explicitly](/docs/agent/options#grpc_port) in agent configuration. explicitly](/docs/agent/config/config-files#grpc_port) in agent configuration.
``` ```
CONSUL_GRPC_ADDR=127.0.0.1:8502 CONSUL_GRPC_ADDR=127.0.0.1:8502

View File

@ -104,10 +104,10 @@ Usage: `consul operator autopilot set-config [options]`
- `-disable-upgrade-migration` <EnterpriseAlert inline /> - Controls whether Consul will avoid promoting - `-disable-upgrade-migration` <EnterpriseAlert inline /> - Controls whether Consul will avoid promoting
new servers until it can perform a migration. Must be one of `[true|false]`. new servers until it can perform a migration. Must be one of `[true|false]`.
- `-redundancy-zone-tag` <EnterpriseAlert inline /> - Controls the [`-node-meta`](/docs/agent/options#_node_meta) - `-redundancy-zone-tag` <EnterpriseAlert inline /> - Controls the [`-node-meta`](/docs/agent/config/cli-flags#_node_meta)
key name used for separating servers into different redundancy zones. key name used for separating servers into different redundancy zones.
- `-upgrade-version-tag` <EnterpriseAlert inline /> - Controls the [`-node-meta`](/docs/agent/options#_node_meta) - `-upgrade-version-tag` <EnterpriseAlert inline /> - Controls the [`-node-meta`](/docs/agent/config/cli-flags#_node_meta)
tag to use for version info when performing upgrade migrations. If left blank, the Consul version will be used. tag to use for version info when performing upgrade migrations. If left blank, the Consul version will be used.
### Command Output ### Command Output

View File

@ -22,7 +22,7 @@ reload will be present in the agent logs and not in the output of this command.
**NOTE** **NOTE**
Not all configuration options are reloadable. See the Not all configuration options are reloadable. See the
[Reloadable Configuration](/docs/agent/options#reloadable-configuration) [Reloadable Configuration](/docs/agent/config#reloadable-configuration)
section on the agent options page for details on which options are supported. section on the agent options page for details on which options are supported.
The table below shows this command's [required ACLs](/api#authentication). Configuration of The table below shows this command's [required ACLs](/api#authentication). Configuration of

View File

@ -21,7 +21,7 @@ to be loaded by the agent. This command cannot operate on partial
configuration fragments since those won't pass the full agent validation. configuration fragments since those won't pass the full agent validation.
For more information on the format of Consul's configuration files, read the For more information on the format of Consul's configuration files, read the
consul agent [Configuration Files](/docs/agent/options#configuration-files) consul agent [Configuration Files](/docs/agent/config/config-files)
section. section.
## Usage ## Usage

View File

@ -56,9 +56,8 @@ See [Kubernetes Custom Resource Definitions](/docs/k8s/crds).
Configuration entries outside of Kubernetes should be managed with the Consul Configuration entries outside of Kubernetes should be managed with the Consul
[CLI](/commands/config) or [API](/api/config). Additionally, as a [CLI](/commands/config) or [API](/api/config). Additionally, as a
convenience for initial cluster bootstrapping, configuration entries can be convenience for initial cluster bootstrapping, configuration entries can be specified in all of the Consul servers's
specified in the Consul servers agent's [configuration files](/docs/agent/config/config-files#config_entries_bootstrap)
[configuration files](/docs/agent/options#config_entries_bootstrap)
### Managing Configuration Entries with the CLI ### Managing Configuration Entries with the CLI
@ -162,7 +161,7 @@ api
### Bootstrapping From A Configuration File ### Bootstrapping From A Configuration File
Configuration entries can be bootstrapped by adding them [inline to each Consul Configuration entries can be bootstrapped by adding them [inline to each Consul
server's configuration file](/docs/agent/options#config_entries). When a server's configuration file](/docs/agent/config/config-files#config_entries). When a
server gains leadership, it will attempt to initialize the configuration entries. server gains leadership, it will attempt to initialize the configuration entries.
If a configuration entry does not already exist outside of the servers If a configuration entry does not already exist outside of the servers
configuration, then it will create it. If a configuration entry does exist, that configuration, then it will create it. If a configuration entry does exist, that

View File

@ -0,0 +1,521 @@
---
layout: docs
page_title: Consul Agent CLI Reference
description: >-
This topic describes the supported options for configuring Consul agents on the command line.
---
# Command-line Options ((#commandline_options))
-> **Note:** Some CLI arguments may be different from HCL keys. See [Configuration Key Reference](/docs/agent/config/config-files#config_key_reference) for equivalent HCL Keys.
This topic describes the available command-line options for the Consul agent.
## Usage
See [Agent Overview](/docs/agent#starting-the-consul-agent) for examples of how to use flags with the `consul agent` CLI.
## Environment Variables
Environment variables **cannot** be used to configure the Consul client. They
_can_ be used when running other `consul` CLI commands that connect with a
running agent, e.g. `CONSUL_HTTP_ADDR=192.168.0.1:8500 consul members`.
See [Consul Commands](/docs/commands#environment-variables) for more
information.
## General
- `-check_output_max_size` - Override the default
limit of 4k for maximum size of checks, this is a positive value. By limiting this
size, it allows to put less pressure on Consul servers when many checks are having
a very large output in their checks. In order to completely disable check output
capture, it is possible to use [`discard_check_output`](/docs/agent/config/config-files#discard_check_output).
- `-client` ((#\_client)) - The address to which Consul will bind client
interfaces, including the HTTP and DNS servers. By default, this is "127.0.0.1",
allowing only loopback connections. In Consul 1.0 and later this can be set to
a space-separated list of addresses to bind to, or a [go-sockaddr]
template that can potentially resolve to multiple addresses.
- `-data-dir` ((#\_data_dir)) - This flag provides a data directory for
the agent to store state. This is required for all agents. The directory should
be durable across reboots. This is especially critical for agents that are running
in server mode as they must be able to persist cluster state. Additionally, the
directory must support the use of filesystem locking, meaning some types of mounted
folders (e.g. VirtualBox shared folders) may not be suitable.
**Note:** both server and non-server agents may store ACL tokens in the state in this directory so read access may grant access to any tokens on servers and to any tokens used during service registration on non-servers. On Unix-based platforms the files are written with 0600 permissions so you should ensure only trusted processes can execute as the same user as Consul. On Windows, you should ensure the directory has suitable permissions configured as these will be inherited.
- `-datacenter` ((#\_datacenter)) - This flag controls the datacenter in
which the agent is running. If not provided, it defaults to "dc1". Consul has first-class
support for multiple datacenters, but it relies on proper configuration. Nodes
in the same datacenter should be on a single LAN.
- `-dev` ((#\_dev)) - Enable development server mode. This is useful for
quickly starting a Consul agent with all persistence options turned off, enabling
an in-memory server which can be used for rapid prototyping or developing against
the API. In this mode, [Connect is enabled](/docs/connect/configuration) and
will by default create a new root CA certificate on startup. This mode is **not**
intended for production use as it does not write any data to disk. The gRPC port
is also defaulted to `8502` in this mode.
- `-disable-keyring-file` ((#\_disable_keyring_file)) - If set, the keyring
will not be persisted to a file. Any installed keys will be lost on shutdown, and
only the given `-encrypt` key will be available on startup. This defaults to false.
- `-enable-script-checks` ((#\_enable_script_checks)) This controls whether
[health checks that execute scripts](/docs/agent/checks) are enabled on this
agent, and defaults to `false` so operators must opt-in to allowing these. This
was added in Consul 0.9.0.
~> **Security Warning:** Enabling script checks in some configurations may
introduce a remote execution vulnerability which is known to be targeted by
malware. We strongly recommend `-enable-local-script-checks` instead. See [this
blog post](https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations)
for more details.
- `-enable-local-script-checks` ((#\_enable_local_script_checks))
Like [`enable_script_checks`](#_enable_script_checks), but only enable them when
they are defined in the local configuration files. Script checks defined in HTTP
API registrations will still not be allowed.
- `-encrypt` ((#\_encrypt)) - Specifies the secret key to use for encryption
of Consul network traffic. This key must be 32-bytes that are Base64-encoded. The
easiest way to create an encryption key is to use [`consul keygen`](/commands/keygen).
All nodes within a cluster must share the same encryption key to communicate. The
provided key is automatically persisted to the data directory and loaded automatically
whenever the agent is restarted. This means that to encrypt Consul's gossip protocol,
this option only needs to be provided once on each agent's initial startup sequence.
If it is provided after Consul has been initialized with an encryption key, then
the provided key is ignored and a warning will be displayed.
- `-grpc-port` ((#\_grpc_port)) - the gRPC API port to listen on. Default
-1 (gRPC disabled). See [ports](#ports) documentation for more detail.
- `-hcl` ((#\_hcl)) - A HCL configuration fragment. This HCL configuration
fragment is appended to the configuration and allows to specify the full range
of options of a config file on the command line. This option can be specified multiple
times. This was added in Consul 1.0.
- `-http-port` ((#\_http_port)) - the HTTP API port to listen on. This overrides
the default port 8500. This option is very useful when deploying Consul to an environment
which communicates the HTTP port through the environment e.g. PaaS like CloudFoundry,
allowing you to set the port directly via a Procfile.
- `-https-port` ((#\_https_port)) - the HTTPS API port to listen on. Default
-1 (https disabled). See [ports](#ports) documentation for more detail.
- `-default-query-time` ((#\_default_query_time)) - This flag controls the
amount of time a blocking query will wait before Consul will force a response.
This value can be overridden by the `wait` query parameter. Note that Consul applies
some jitter on top of this time. Defaults to 300s.
- `-max-query-time` ((#\_max_query_time)) - this flag controls the maximum
amount of time a blocking query can wait before Consul will force a response. Consul
applies jitter to the wait time. The jittered time will be capped to this time.
Defaults to 600s.
- `-pid-file` ((#\_pid_file)) - This flag provides the file path for the
agent to store its PID. This is useful for sending signals (for example, `SIGINT`
to close the agent or `SIGHUP` to update check definitions) to the agent.
- `-protocol` ((#\_protocol)) - The Consul protocol version to use. Consul
agents speak protocol 2 by default, however agents will automatically use protocol > 2 when speaking to compatible agents. This should be set only when [upgrading](/docs/upgrading). You can view the protocol versions supported by Consul by running `consul -v`.
- `-raft-protocol` ((#\_raft_protocol)) - This controls the internal version
of the Raft consensus protocol used for server communications. This must be set
to 3 in order to gain access to Autopilot features, with the exception of [`cleanup_dead_servers`](/docs/agent/config/config-files#cleanup_dead_servers). Defaults to 3 in Consul 1.0.0 and later (defaulted to 2 previously). See [Raft Protocol Version Compatibility](/docs/upgrade-specific#raft-protocol-version-compatibility) for more details.
- `-segment` ((#\_segment)) <EnterpriseAlert inline /> - This flag is used to set
the name of the network segment the agent belongs to. An agent can only join and
communicate with other agents within its network segment. Ensure the [join
operation uses the correct port for this segment](/docs/enterprise/network-segments#join_a_client_to_a_segment).
Review the [Network Segments documentation](/docs/enterprise/network-segments)
for more details. By default, this is an empty string, which is the `<default>`
network segment.
~> **Warning:** The `segment` flag cannot be used with the [`partition`](#partition-1) option.
## Advertise Address Options
- `-advertise` ((#\_advertise)) - The advertise address is used to change
the address that we advertise to other nodes in the cluster. By default, the [`-bind`](#_bind)
address is advertised. However, in some cases, there may be a routable address
that cannot be bound. This flag enables gossiping a different address to support
this. If this address is not routable, the node will be in a constant flapping
state as other nodes will treat the non-routability as a failure. In Consul 1.1.0 and later this can be dynamically defined with a [go-sockaddr]
template that is resolved at runtime.
- `-advertise-wan` ((#\_advertise-wan)) - The advertise WAN address is used
to change the address that we advertise to server nodes joining through the WAN.
This can also be set on client agents when used in combination with the [`translate_wan_addrs`](/docs/agent/config/config-files#translate_wan_addrs) configuration option. By default, the [`-advertise`](#_advertise) address
is advertised. However, in some cases all members of all datacenters cannot be
on the same physical or virtual network, especially on hybrid setups mixing cloud
and private datacenters. This flag enables server nodes gossiping through the public
network for the WAN while using private VLANs for gossiping to each other and their
client agents, and it allows client agents to be reached at this address when being
accessed from a remote datacenter if the remote datacenter is configured with [`translate_wan_addrs`](/docs/agent/config/config-files#translate_wan_addrs). In Consul 1.1.0 and later this can be dynamically defined with a [go-sockaddr]
template that is resolved at runtime.
## Address Bind Options
- `-bind` ((#\_bind)) - The address that should be bound to for internal
cluster communications. This is an IP address that should be reachable by all other
nodes in the cluster. By default, this is "0.0.0.0", meaning Consul will bind to
all addresses on the local machine and will [advertise](#_advertise)
the private IPv4 address to the rest of the cluster. If there are multiple private
IPv4 addresses available, Consul will exit with an error at startup. If you specify
`"[::]"`, Consul will [advertise](#_advertise) the public
IPv6 address. If there are multiple public IPv6 addresses available, Consul will
exit with an error at startup. Consul uses both TCP and UDP and the same port for
both. If you have any firewalls, be sure to allow both protocols. In Consul 1.1.0 and later this can be dynamically defined with a [go-sockaddr]
template that must resolve at runtime to a single address. Some example templates:
```shell
# Using address within a specific CIDR
$ consul agent -bind '{{ GetPrivateInterfaces | include "network" "10.0.0.0/8" | attr "address" }}'
```
```shell
# Using a static network interface name
$ consul agent -bind '{{ GetInterfaceIP "eth0" }}'
```
```shell
# Using regular expression matching for network interface name that is forwardable and up
$ consul agent -bind '{{ GetAllInterfaces | include "name" "^eth" | include "flags" "forwardable|up" | attr "address" }}'
```
- `-serf-wan-bind` ((#\_serf_wan_bind)) - The address that should be bound
to for Serf WAN gossip communications. By default, the value follows the same rules
as [`-bind` command-line flag](#_bind), and if this is not specified, the `-bind`
option is used. This is available in Consul 0.7.1 and later. In Consul 1.1.0 and later this can be dynamically defined with a [go-sockaddr]
template that is resolved at runtime.
- `-serf-lan-bind` ((#\_serf_lan_bind)) - The address that should be bound
to for Serf LAN gossip communications. This is an IP address that should be reachable
by all other LAN nodes in the cluster. By default, the value follows the same rules
as [`-bind` command-line flag](#_bind), and if this is not specified, the `-bind`
option is used. This is available in Consul 0.7.1 and later. In Consul 1.1.0 and later this can be dynamically defined with a [go-sockaddr]
template that is resolved at runtime.
## Bootstrap Options
- `-bootstrap` ((#\_bootstrap)) - This flag is used to control if a server
is in "bootstrap" mode. It is important that no more than one server **per** datacenter
be running in this mode. Technically, a server in bootstrap mode is allowed to
self-elect as the Raft leader. It is important that only a single node is in this
mode; otherwise, consistency cannot be guaranteed as multiple nodes are able to
self-elect. It is not recommended to use this flag after a cluster has been bootstrapped.
- `-bootstrap-expect` ((#\_bootstrap_expect)) - This flag provides the number
of expected servers in the datacenter. Either this value should not be provided
or the value must agree with other servers in the cluster. When provided, Consul
waits until the specified number of servers are available and then bootstraps the
cluster. This allows an initial leader to be elected automatically. This cannot
be used in conjunction with the legacy [`-bootstrap`](#_bootstrap) flag. This flag
requires [`-server`](#_server) mode.
## Configuration File Options
- `-config-file` ((#\_config_file)) - A configuration file to load. For
more information on the format of this file, read the [Configuration Files](#configuration_files)
section. This option can be specified multiple times to load multiple configuration
files. If it is specified multiple times, configuration files loaded later will
merge with configuration files loaded earlier. During a config merge, single-value
keys (string, int, bool) will simply have their values replaced while list types
will be appended together.
- `-config-dir` ((#\_config_dir)) - A directory of configuration files to
load. Consul will load all files in this directory with the suffix ".json" or ".hcl".
The load order is alphabetical, and the the same merge routine is used as with
the [`config-file`](#_config_file) option above. This option can be specified multiple
times to load multiple directories. Sub-directories of the config directory are
not loaded. For more information on the format of the configuration files, see
the [Configuration Files](#configuration_files) section.
- `-config-format` ((#\_config_format)) - The format of the configuration
files to load. Normally, Consul detects the format of the config files from the
".json" or ".hcl" extension. Setting this option to either "json" or "hcl" forces
Consul to interpret any file with or without extension to be interpreted in that
format.
## DNS and Domain Options
- `-dns-port` ((#\_dns_port)) - the DNS port to listen on. This overrides
the default port 8600. This is available in Consul 0.7 and later.
- `-domain` ((#\_domain)) - By default, Consul responds to DNS queries in
the "consul." domain. This flag can be used to change that domain. All queries
in this domain are assumed to be handled by Consul and will not be recursively
resolved.
- `-alt-domain` ((#\_alt_domain)) - This flag allows Consul to respond to
DNS queries in an alternate domain, in addition to the primary domain. If unset,
no alternate domain is used.
In Consul 1.10.4 and later, Consul DNS responses will use the same domain as in the query (`-domain` or `-alt-domain`) where applicable.
PTR query responses will always use `-domain`, since the desired domain cannot be included in the query.
- `-recursor` ((#\_recursor)) - Specifies the address of an upstream DNS
server. This option may be provided multiple times, and is functionally equivalent
to the [`recursors` configuration option](#recursors).
## Join Options
- `-join` ((#\_join)) - Address of another agent to join upon starting up.
This can be specified multiple times to specify multiple agents to join. If Consul
is unable to join with any of the specified addresses, agent startup will fail.
By default, the agent won't join any nodes when it starts up. Note that using [`retry_join`](#retry_join) could be more appropriate to help mitigate node startup race conditions when automating
a Consul cluster deployment.
In Consul 1.1.0 and later this can be dynamically defined with a
[go-sockaddr]
template that is resolved at runtime.
If using Enterprise network segments, see [additional documentation on
joining a client to a segment](/docs/enterprise/network-segments#join_a_client_to_a_segment).
- `-retry-join` ((#\_retry_join)) - Similar to [`-join`](#_join) but allows retrying a join until
it is successful. Once it joins successfully to a member in a list of members
it will never attempt to join again. Agents will then solely maintain their
membership via gossip. This is useful for cases where you know the address will
eventually be available. This option can be specified multiple times to
specify multiple agents to join. The value can contain IPv4, IPv6, or DNS
addresses. IPv6 must use the "bracketed" syntax. If multiple values
are given, they are tried and retried in the order listed until the first
succeeds.
In Consul 1.1.0 and later this can be dynamically defined with a
[go-sockaddr]
template that is resolved at runtime.
If Consul is running on the non-default Serf LAN port, the port must
be specified in the join address, or configured as the agent's default Serf port
using the [`ports.serf_lan`](/docs/agent/config/config-files#serf_lan_port) configuration option or
[`-serf-lan-port`](#_serf_lan_port) command line flag.
If using network segments (Enterprise), see [additional documentation on
joining a client to a segment](/docs/enterprise/network-segments#join_a_client_to_a_segment).
Here are some examples of using `-retry-join`:
```shell
# Using a DNS entry
$ consul agent -retry-join "consul.domain.internal"
```
```shell
# Using IPv4
$ consul agent -retry-join "10.0.4.67"
```
```shell
# Using a non-default Serf LAN port
$ consul agent -retry-join "192.0.2.10:8304"
```
```shell
# Using IPv6
$ consul agent -retry-join "[::1]:8301"
```
```shell
# Using multiple addresses
$ consul agent -retry-join "consul.domain.internal" -retry-join "10.0.4.67"
```
### Cloud Auto-Joining
As of Consul 0.9.1, `retry-join` accepts a unified interface using the
[go-discover](https://github.com/hashicorp/go-discover) library for doing
automatic cluster joining using cloud metadata. For more information, see
the [Cloud Auto-join page](/docs/agent/cloud-auto-join).
```shell
# Using Cloud Auto-Joining
$ consul agent -retry-join "provider=aws tag_key=..."
```
- `-retry-interval` ((#\_retry_interval)) - Time to wait between join attempts.
Defaults to 30s.
- `-retry-max` ((#\_retry_max)) - The maximum number of [`-join`](#_join)
attempts to be made before exiting with return code 1. By default, this is set
to 0 which is interpreted as infinite retries.
- `-join-wan` ((#\_join_wan)) - Address of another wan agent to join upon
starting up. This can be specified multiple times to specify multiple WAN agents
to join. If Consul is unable to join with any of the specified addresses, agent
startup will fail. By default, the agent won't [`-join-wan`](#_join_wan) any nodes
when it starts up.
In Consul 1.1.0 and later this can be dynamically defined with a [go-sockaddr]
template that is resolved at runtime.
- `-retry-join-wan` ((#\_retry_join_wan)) - Similar to [`retry-join`](#_retry_join)
but allows retrying a wan join if the first attempt fails. This is useful for cases
where we know the address will become available eventually. As of Consul 0.9.3
[Cloud Auto-Joining](#cloud-auto-joining) is supported as well.
In Consul 1.1.0 and later this can be dynamically defined with a [go-sockaddr]
template that is resolved at runtime.
- `-primary-gateway` ((#\_primary_gateway)) - Similar to [`retry-join-wan`](#_retry_join_wan)
but allows retrying discovery of fallback addresses for the mesh gateways in the
primary datacenter if the first attempt fails. This is useful for cases where we
know the address will become available eventually. [Cloud Auto-Joining](#cloud-auto-joining)
is supported as well as [go-sockaddr]
templates. This was added in Consul 1.8.0.
- `-retry-interval-wan` ((#\_retry_interval_wan)) - Time to wait between
[`-join-wan`](#_join_wan) attempts. Defaults to 30s.
- `-retry-max-wan` ((#\_retry_max_wan)) - The maximum number of [`-join-wan`](#_join_wan)
attempts to be made before exiting with return code 1. By default, this is set
to 0 which is interpreted as infinite retries.
- `-rejoin` ((#\_rejoin)) - When provided, Consul will ignore a previous
leave and attempt to rejoin the cluster when starting. By default, Consul treats
leave as a permanent intent and does not attempt to join the cluster again when
starting. This flag allows the previous state to be used to rejoin the cluster.
## Log Options
- `-log-file` ((#\_log_file)) - writes all the Consul agent log messages
to a file. This value is used as a prefix for the log file name. The current timestamp
is appended to the file name. If the value ends in a path separator, `consul-`
will be appended to the value. If the file name is missing an extension, `.log`
is appended. For example, setting `log-file` to `/var/log/` would result in a log
file path of `/var/log/consul-{timestamp}.log`. `log-file` can be combined with
[`-log-rotate-bytes`](#_log_rotate_bytes) and [-log-rotate-duration](#_log_rotate_duration)
for a fine-grained log rotation experience.
- `-log-rotate-bytes` ((#\_log_rotate_bytes)) - to specify the number of
bytes that should be written to a log before it needs to be rotated. Unless specified,
there is no limit to the number of bytes that can be written to a log file.
- `-log-rotate-duration` ((#\_log_rotate_duration)) - to specify the maximum
duration a log should be written to before it needs to be rotated. Must be a duration
value such as 30s. Defaults to 24h.
- `-log-rotate-max-files` ((#\_log_rotate_max_files)) - to specify the maximum
number of older log file archives to keep. Defaults to 0 (no files are ever deleted).
Set to -1 to discard old log files when a new one is created.
- `-log-level` ((#\_log_level)) - The level of logging to show after the
Consul agent has started. This defaults to "info". The available log levels are
"trace", "debug", "info", "warn", and "err". You can always connect to an agent
via [`consul monitor`](/commands/monitor) and use any log level. Also,
the log level can be changed during a config reload.
- `-log-json` ((#\_log_json)) - This flag enables the agent to output logs
in a JSON format. By default this is false.
- `-syslog` ((#\_syslog)) - This flag enables logging to syslog. This is
only supported on Linux and OSX. It will result in an error if provided on Windows.
## Node Options
- `-node` ((#\_node)) - The name of this node in the cluster. This must
be unique within the cluster. By default this is the hostname of the machine.
- `-node-id` ((#\_node_id)) - Available in Consul 0.7.3 and later, this
is a unique identifier for this node across all time, even if the name of the node
or address changes. This must be in the form of a hex string, 36 characters long,
such as `adf4238a-882b-9ddc-4a9d-5b6758e4159e`. If this isn't supplied, which is
the most common case, then the agent will generate an identifier at startup and
persist it in the [data directory](#_data_dir) so that it will remain the same
across agent restarts. Information from the host will be used to generate a deterministic
node ID if possible, unless [`-disable-host-node-id`](#_disable_host_node_id) is
set to true.
- `-node-meta` ((#\_node_meta)) - Available in Consul 0.7.3 and later, this
specifies an arbitrary metadata key/value pair to associate with the node, of the
form `key:value`. This can be specified multiple times. Node metadata pairs have
the following restrictions:
- A maximum of 64 key/value pairs can be registered per node.
- Metadata keys must be between 1 and 128 characters (inclusive) in length
- Metadata keys must contain only alphanumeric, `-`, and `_` characters.
- Metadata keys must not begin with the `consul-` prefix; that is reserved for internal use by Consul.
- Metadata values must be between 0 and 512 (inclusive) characters in length.
- Metadata values for keys beginning with `rfc1035-` are encoded verbatim in DNS TXT requests, otherwise
the metadata kv-pair is encoded according [RFC1464](https://www.ietf.org/rfc/rfc1464.txt).
- `-disable-host-node-id` ((#\_disable_host_node_id)) - Setting this to
true will prevent Consul from using information from the host to generate a deterministic
node ID, and will instead generate a random node ID which will be persisted in
the data directory. This is useful when running multiple Consul agents on the same
host for testing. This defaults to false in Consul prior to version 0.8.5 and in
0.8.5 and later defaults to true, so you must opt-in for host-based IDs. Host-based
IDs are generated using [gopsutil](https://github.com/shirou/gopsutil/tree/master/v3/host), which
is shared with HashiCorp's [Nomad](https://www.nomadproject.io/), so if you opt-in
to host-based IDs then Consul and Nomad will use information on the host to automatically
assign the same ID in both systems.
## Serf Options
- `-serf-lan-allowed-cidrs` ((#\_serf_lan_allowed_cidrs)) - The Serf LAN allowed CIDRs allow to accept incoming
connections for Serf only from several networks (multiple values are supported).
Those networks are specified with CIDR notation (eg: 192.168.1.0/24).
This is available in Consul 1.8 and later.
- `-serf-lan-port` ((#\_serf_lan_port)) - the Serf LAN port to listen on.
This overrides the default Serf LAN port 8301. This is available in Consul 1.2.2
and later.
- `-serf-wan-allowed-cidrs` ((#\_serf_wan_allowed_cidrs)) - The Serf WAN allowed CIDRs allow to accept incoming
connections for Serf only from several networks (multiple values are supported).
Those networks are specified with CIDR notation (eg: 192.168.1.0/24).
This is available in Consul 1.8 and later.
- `-serf-wan-port` ((#\_serf_wan_port)) - the Serf WAN port to listen on.
This overrides the default Serf WAN port 8302. This is available in Consul 1.2.2
and later.
## Server Options
- `-server` ((#\_server)) - This flag is used to control if an agent is
in server or client mode. When provided, an agent will act as a Consul server.
Each Consul cluster must have at least one server and ideally no more than 5 per
datacenter. All servers participate in the Raft consensus algorithm to ensure that
transactions occur in a consistent, linearizable manner. Transactions modify cluster
state, which is maintained on all server nodes to ensure availability in the case
of node failure. Server nodes also participate in a WAN gossip pool with server
nodes in other datacenters. Servers act as gateways to other datacenters and forward
traffic as appropriate.
- `-server-port` ((#\_server_port)) - the server RPC port to listen on.
This overrides the default server RPC port 8300. This is available in Consul 1.2.2
and later.
- `-non-voting-server` ((#\_non_voting_server)) <EnterpriseAlert inline /> - **This field
is deprecated in Consul 1.9.1. See the [`-read-replica`](#_read_replica) flag instead.**
- `-read-replica` ((#\_read_replica)) <EnterpriseAlert inline /> - This
flag is used to make the server not participate in the Raft quorum, and have it
only receive the data replication stream. This can be used to add read scalability
to a cluster in cases where a high volume of reads to servers are needed.
## UI Options
- `-ui` ((#\_ui)) - Enables the built-in web UI server and the required
HTTP routes. This eliminates the need to maintain the Consul web UI files separately
from the binary.
- `-ui-dir` ((#\_ui_dir)) - This flag provides the directory containing
the Web UI resources for Consul. This will automatically enable the Web UI. The
directory must be readable to the agent. Starting with Consul version 0.7.0 and
later, the Web UI assets are included in the binary so this flag is no longer necessary;
specifying only the `-ui` flag is enough to enable the Web UI. Specifying both
the '-ui' and '-ui-dir' flags will result in an error.
<!-- prettier-ignore -->
- `-ui-content-path` ((#\_ui\_content\_path)) - This flag provides the option
to change the path the Consul UI loads from and will be displayed in the browser.
By default, the path is `/ui/`, for example `http://localhost:8500/ui/`. Only alphanumerics,
`-`, and `_` are allowed in a custom path.`/v1/` is not allowed as it would overwrite
the API endpoint.

View File

@ -0,0 +1,83 @@
---
layout: docs
page_title: Configuration
description: >-
The agent has various configuration options that can be specified via the
command-line or via configuration files. All of the configuration options are
completely optional. Defaults are specified with their descriptions.
---
# Configuration
The agent has various configuration options that can be specified via
the command-line or via configuration files. All of the configuration
options are completely optional. Defaults are specified with their
descriptions.
Configuration precedence is evaluated in the following order:
1. [Command line arguments](/docs/agent/config/cli-flags)
2. [Configuration files](/docs/agent/config/config-files)
When loading configuration, Consul loads the configuration from files and
directories in lexical order. For example, configuration file
`basic_config.json` will be processed before `extra_config.json`. Configuration
can be in either [HCL](https://github.com/hashicorp/hcl#syntax) or JSON format.
Available in Consul 1.0 and later, the HCL support now requires an `.hcl` or
`.json` extension on all configuration files in order to specify their format.
Configuration specified later will be merged into configuration specified
earlier. In most cases, "merge" means that the later version will override the
earlier. In some cases, such as event handlers, merging appends the handlers to
the existing configuration. The exact merging behavior is specified for each
option below.
Consul also supports reloading configuration when it receives the
SIGHUP signal. Not all changes are respected, but those that are
documented below in the
[Reloadable Configuration](#reloadable-configuration) section. The
[reload command](/commands/reload) can also be used to trigger a
configuration reload.
You can test the following configuration options by following the
[Getting Started](https://learn.hashicorp.com/tutorials/consul/get-started-install?utm_source=consul.io&utm_medium=docs)
tutorials to install a local agent.
## Ports Used
Consul requires up to 6 different ports to work properly, some on
TCP, UDP, or both protocols.
Review the [required ports](/docs/install/ports) table for a list of
required ports and their default settings.
## Reloadable Configuration
Reloading configuration does not reload all configuration items. The
items which are reloaded include:
- ACL Tokens
- [Configuration Entry Bootstrap](/docs/agent/config/config-files#config_entries_bootstrap)
- Checks
- [Discard Check Output](/docs/agent/config/config-files#discard_check_output)
- HTTP Client Address
- Log level
- [Metric Prefix Filter](/docs/agent/config/config-files#telemetry-prefix_filter)
- [Node Metadata](/docs/agent/config/config-files#node_meta)
- Some Raft options (since Consul 1.10.0)
- [`raft_snapshot_threshold`](/docs/agent/config/config-files#_raft_snapshot_threshold)
- [`raft_snapshot_interval`](/docs/agent/config/config-files#_raft_snapshot_interval)
- [`raft_trailing_logs`](/docs/agent/config/config-files#_raft_trailing_logs)
- These can be important in certain outage situations so being able to control
them without a restart provides a recovery path that doesn't involve
downtime. They generally shouldn't be changed otherwise.
- [RPC rate limiting](/docs/agent/config/config-files#limits)
- [HTTP Maximum Connections per Client](/docs/agent/config/config-files#http_max_conns_per_client)
- Services
- TLS Configuration
- Please be aware that this is currently limited to reload a configuration that is already TLS enabled. You cannot enable or disable TLS only with reloading.
- Watches
<!-- list of reference-style links -->
[go-sockaddr]: https://godoc.org/github.com/hashicorp/go-sockaddr/template

View File

@ -102,7 +102,7 @@ The following example starts an agent in dev mode and stores agent state data in
$ consul agent -data-dir=tmp/consul -dev $ consul agent -data-dir=tmp/consul -dev
``` ```
Agents are highly configurable, which enables you to deploy Consul to any infrastructure. Many of the default options for the `agent` command are suitable for becoming familiar with a local instance of Consul. In practice, however, several additional configuration options must be specified for Consul to function as expected. Refer to [Agent Configuration](/docs/agent/options) topic for a complete list of configuration options. Agents are highly configurable, which enables you to deploy Consul to any infrastructure. Many of the default options for the `agent` command are suitable for becoming familiar with a local instance of Consul. In practice, however, several additional configuration options must be specified for Consul to function as expected. Refer to [Agent Configuration](/docs/agent/config) topic for a complete list of configuration options.
### Understanding the Agent Startup Output ### Understanding the Agent Startup Output
@ -127,16 +127,15 @@ $ consul agent -data-dir=/tmp/consul
- **Node name**: This is a unique name for the agent. By default, this - **Node name**: This is a unique name for the agent. By default, this
is the hostname of the machine, but you may customize it using the is the hostname of the machine, but you may customize it using the
[`-node`](/docs/agent/options#_node) flag. [`-node`](/docs/agent/config/cli-flags#_node) flag.
- **Datacenter**: This is the datacenter in which the agent is configured to - **Datacenter**: This is the datacenter in which the agent is configured to
run. For single-DC configurations, the agent will default to `dc1`, but you can configure which datacenter the agent reports to with the [`-datacenter`](/docs/agent/options#_datacenter) flag. run. For single-DC configurations, the agent will default to `dc1`, but you can configure which datacenter the agent reports to with the [`-datacenter`](/docs/agent/config/cli-flags#_datacenter) flag.
Consul has first-class support for multiple datacenters, but configuring each node to report its datacenter improves agent efficiency. Consul has first-class support for multiple datacenters, but configuring each node to report its datacenter improves agent efficiency.
- **Server**: This indicates whether the agent is running in server or client - **Server**: This indicates whether the agent is running in server or client
mode. mode.
Running an agent in server mode requires additional overhead. This is because they participate in the consensus quorum, store cluster state, and handle queries. A server may also be Running an agent in server mode requires additional overhead. This is because they participate in the consensus quorum, store cluster state, and handle queries. A server may also be in [`bootstrap`](/docs/agent/config/cli-flags#_bootstrap_expect) mode, which enables the server to elect itself as the raft leader. Multiple servers cannot be in bootstrap mode because it would put the cluster in an inconsistent state.
in ["bootstrap"](/docs/agent/options#_bootstrap_expect) mode, which enables the server to elect itself as the Raft leader. Multiple servers cannot be in bootstrap mode because it would put the cluster in an inconsistent state.
- **Client Addr**: This is the address used for client interfaces to the agent. - **Client Addr**: This is the address used for client interfaces to the agent.
This includes the ports for the HTTP and DNS interfaces. By default, this This includes the ports for the HTTP and DNS interfaces. By default, this
@ -179,18 +178,18 @@ The following settings are commonly used in the configuration file (also called
| Parameter | Description | Default | | Parameter | Description | Default |
| ------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------- | | ------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------- |
| `node_name` | String value that specifies a name for the agent node. <br/>See [`-node-id`](/docs/agent/options#_node_id) for details. | Hostname of the machine | | `node_name` | String value that specifies a name for the agent node. <br/>See [`-node-id`](/docs/agent/config/cli-flags#_node_id) for details. | Hostname of the machine |
| `server` | Boolean value that determines if the agent runs in server mode. <br/>See [`-server`](/docs/agent/options#_server) for details. | `false` | | `server` | Boolean value that determines if the agent runs in server mode. <br/>See [`-server`](/docs/agent/config/cli-flags#_server) for details. | `false` |
| `datacenter` | String value that specifies which datacenter the agent runs in. <br/>See [-datacenter](/docs/agent/options#_datacenter) for details. | `dc1` | | `datacenter` | String value that specifies which datacenter the agent runs in. <br/>See [-datacenter](/docs/agent/config/cli-flags#_datacenter) for details. | `dc1` |
| `data_dir` | String value that specifies a directory for storing agent state data. <br/>See [`-data-dir`](/docs/agent/options#_data_dir) for details. | none | | `data_dir` | String value that specifies a directory for storing agent state data. <br/>See [`-data-dir`](/docs/agent/config/cli-flags#_data_dir) for details. | none |
| `log_level` | String value that specifies the level of logging the agent reports. <br/>See [`-log-level`](docs/agent/options#_log_level) for details. | `info` | | `log_level` | String value that specifies the level of logging the agent reports. <br/>See [`-log-level`](/docs/agent/config/cli-flags#_log_level) for details. | `info` |
| `retry_join` | Array of string values that specify one or more agent addresses to join after startup. The agent will continue trying to join the specified agents until it has successfully joined another member. <br/>See [`-retry-join`](/docs/agent/options#_retry_join) for details. | none | | `retry_join` | Array of string values that specify one or more agent addresses to join after startup. The agent will continue trying to join the specified agents until it has successfully joined another member. <br/>See [`-retry-join`](/docs/agent/config/cli-flags#_retry_join) for details. | none |
| `addresses` | Block of nested objects that define addresses bound to the agent for internal cluster communication. | `"http": "0.0.0.0"` See the Agent Configuration page for [default address values](/docs/agent/options#addresses) | | `addresses` | Block of nested objects that define addresses bound to the agent for internal cluster communication. | `"http": "0.0.0.0"` See the Agent Configuration page for [default address values](/docs/agent/config/config-files#addresses) |
| `ports` | Block of nested objects that define ports bound to agent addresses. <br/>See (link to addresses option) for details. | See the Agent Configuration page for [default port values](/docs/agent/options#ports) | | `ports` | Block of nested objects that define ports bound to agent addresses. <br/>See (link to addresses option) for details. | See the Agent Configuration page for [default port values](/docs/agent/config/config-files#ports) |
### Server Node in a Service Mesh ### Server Node in a Service Mesh
The following example configuration is for a server agent named "`consul-server`". The server is [bootstrapped](/docs/agent/options#_bootstrap) and the Consul GUI is enabled. The following example configuration is for a server agent named "`consul-server`". The server is [bootstrapped](/docs/agent/config/cli-flags#_bootstrap) and the Consul GUI is enabled.
The reason this server agent is configured for a service mesh is that the `connect` configuration is enabled. Connect is Consul's service mesh component that provides service-to-service connection authorization and encryption using mutual Transport Layer Security (TLS). Applications can use sidecar proxies in a service mesh configuration to establish TLS connections for inbound and outbound connections without being aware of Connect at all. See [Connect](/docs/connect) for details. The reason this server agent is configured for a service mesh is that the `connect` configuration is enabled. Connect is Consul's service mesh component that provides service-to-service connection authorization and encryption using mutual Transport Layer Security (TLS). Applications can use sidecar proxies in a service mesh configuration to establish TLS connections for inbound and outbound connections without being aware of Connect at all. See [Connect](/docs/connect) for details.
<CodeTabs> <CodeTabs>
@ -434,8 +433,8 @@ may not be important for your use case. For example, for a web server and load
balancer setup, both result in the same outcome: the web node is removed balancer setup, both result in the same outcome: the web node is removed
from the load balancer pool. from the load balancer pool.
The [`skip_leave_on_interrupt`](/docs/agent/options#skip_leave_on_interrupt) and The [`skip_leave_on_interrupt`](/docs/agent/config/config-files#skip_leave_on_interrupt) and
[`leave_on_terminate`](/docs/agent/options#leave_on_terminate) configuration [`leave_on_terminate`](/docs/agent/config/config-files#leave_on_terminate) configuration
options allow you to adjust this behavior. options allow you to adjust this behavior.
<!-- list of reference-style links --> <!-- list of reference-style links -->

View File

@ -29,7 +29,7 @@ This telemetry information can be used for debugging or otherwise
getting a better view of what Consul is doing. Review the [Monitoring and getting a better view of what Consul is doing. Review the [Monitoring and
Metrics tutorial](https://learn.hashicorp.com/tutorials/consul/monitor-datacenter-health?utm_source=consul.io&utm_medium=docs) to learn how collect and interpret Consul data. Metrics tutorial](https://learn.hashicorp.com/tutorials/consul/monitor-datacenter-health?utm_source=consul.io&utm_medium=docs) to learn how collect and interpret Consul data.
Additionally, if the [`telemetry` configuration options](/docs/agent/options#telemetry) Additionally, if the [`telemetry` configuration options](/docs/agent/config/config-files#telemetry)
are provided, the telemetry information will be streamed to a are provided, the telemetry information will be streamed to a
[statsite](http://github.com/armon/statsite) or [statsd](http://github.com/etsy/statsd) server where [statsite](http://github.com/armon/statsite) or [statsd](http://github.com/etsy/statsd) server where
it can be aggregated and flushed to Graphite or any other metrics store. it can be aggregated and flushed to Graphite or any other metrics store.
@ -140,7 +140,7 @@ you will need to apply a function such as InfluxDB's [`non_negative_difference()
| Metric Name | Description | Unit | Type | | Metric Name | Description | Unit | Type |
| :--------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------- | :------ | | :--------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------- | :------ |
| `consul.client.rpc` | Increments whenever a Consul agent in client mode makes an RPC request to a Consul server | requests | counter | | `consul.client.rpc` | Increments whenever a Consul agent in client mode makes an RPC request to a Consul server | requests | counter |
| `consul.client.rpc.exceeded` | Increments whenever a Consul agent in client mode makes an RPC request to a Consul server gets rate limited by that agent's [`limits`](/docs/agent/options#limits) configuration. | requests | counter | | `consul.client.rpc.exceeded` | Increments whenever a Consul agent in client mode makes an RPC request to a Consul server gets rate limited by that agent's [`limits`](/docs/agent/config/config-files#limits) configuration. | requests | counter |
| `consul.client.rpc.failed` | Increments whenever a Consul agent in client mode makes an RPC request to a Consul server and fails. | requests | counter | | `consul.client.rpc.failed` | Increments whenever a Consul agent in client mode makes an RPC request to a Consul server and fails. | requests | counter |
**Why they're important:** These measurements indicate the current load created from a Consul agent, including when the load becomes high enough to be rate limited. A high RPC count, especially from `consul.client.rpcexceeded` meaning that the requests are being rate-limited, could imply a misconfigured Consul agent. **Why they're important:** These measurements indicate the current load created from a Consul agent, including when the load becomes high enough to be rate limited. A high RPC count, especially from `consul.client.rpcexceeded` meaning that the requests are being rate-limited, could imply a misconfigured Consul agent.
@ -172,7 +172,7 @@ Under these conditions, a follower after a restart may be unable to catch up on
replication and become a voter again since it takes longer to restore from disk replication and become a voter again since it takes longer to restore from disk
or the leader than the leader takes to write a new snapshot and truncate its or the leader than the leader takes to write a new snapshot and truncate its
logs. Servers retain logs. Servers retain
[`raft_trailing_logs`](/docs/agent/options#_raft_trailing_logs) (default [`raft_trailing_logs`](/docs/agent/config/config-files#raft_trailing_logs) (default
`10240`) log entries even if their snapshot was more recent. On a leader `10240`) log entries even if their snapshot was more recent. On a leader
processing 500 commits/second, that is only about 20 seconds worth of logs. processing 500 commits/second, that is only about 20 seconds worth of logs.
Assuming the leader is able to write out a snapshot and truncate the logs in Assuming the leader is able to write out a snapshot and truncate the logs in
@ -197,7 +197,7 @@ repeatedly as well as reduce the fault tolerance and serving capacity of the
cluster. cluster.
Since Consul 1.5.3 Since Consul 1.5.3
[`raft_trailing_logs`](/docs/agent/options#_raft_trailing_logs) has been [`raft_trailing_logs`](/docs/agent/config/config-files#raft_trailing_logs) has been
configurable. Increasing it allows the leader to retain more logs and give configurable. Increasing it allows the leader to retain more logs and give
followers more time to restore and catch up. The tradeoff is potentially followers more time to restore and catch up. The tradeoff is potentially
slower appends which eventually might affect write throughput and latency slower appends which eventually might affect write throughput and latency
@ -208,7 +208,7 @@ mean loosing cluster availability and needing to recover the cluster from a loss
of quorum. of quorum.
Since Consul 1.10.0 Since Consul 1.10.0
[`raft_trailing_logs`](/docs/agent/options#_raft_trailing_logs) is now [`raft_trailing_logs`](/docs/agent/config/config-files#raft_trailing_logs) is now
reloadable with `consul reload` or `SIGHUP` allowing operators to increase this reloadable with `consul reload` or `SIGHUP` allowing operators to increase this
without the leader restarting or loosing leadership allowing the cluster to be without the leader restarting or loosing leadership allowing the cluster to be
recovered gracefully. recovered gracefully.
@ -333,7 +333,7 @@ This is a full list of metrics emitted by Consul.
| `consul.acl.blocked.{check,node,service}.registration` | Increments whenever a registration fails for an entity (check, node or service) is blocked by an ACL. | requests | counter | | `consul.acl.blocked.{check,node,service}.registration` | Increments whenever a registration fails for an entity (check, node or service) is blocked by an ACL. | requests | counter |
| `consul.api.http` | Migrated from consul.http.. this samples how long it takes to service the given HTTP request for the given verb and path. Includes labels for `path` and `method`. `path` does not include details like service or key names, for these an underscore will be present as a placeholder (eg. path=`v1.kv._`) | ms | timer | | `consul.api.http` | Migrated from consul.http.. this samples how long it takes to service the given HTTP request for the given verb and path. Includes labels for `path` and `method`. `path` does not include details like service or key names, for these an underscore will be present as a placeholder (eg. path=`v1.kv._`) | ms | timer |
| `consul.client.rpc` | Increments whenever a Consul agent in client mode makes an RPC request to a Consul server. This gives a measure of how much a given agent is loading the Consul servers. Currently, this is only generated by agents in client mode, not Consul servers. | requests | counter | | `consul.client.rpc` | Increments whenever a Consul agent in client mode makes an RPC request to a Consul server. This gives a measure of how much a given agent is loading the Consul servers. Currently, this is only generated by agents in client mode, not Consul servers. | requests | counter |
| `consul.client.rpc.exceeded` | Increments whenever a Consul agent in client mode makes an RPC request to a Consul server gets rate limited by that agent's [`limits`](/docs/agent/options#limits) configuration. This gives an indication that there's an abusive application making too many requests on the agent, or that the rate limit needs to be increased. Currently, this only applies to agents in client mode, not Consul servers. | rejected requests | counter | | `consul.client.rpc.exceeded` | Increments whenever a Consul agent in client mode makes an RPC request to a Consul server gets rate limited by that agent's [`limits`](/docs/agent/config/config-files#limits) configuration. This gives an indication that there's an abusive application making too many requests on the agent, or that the rate limit needs to be increased. Currently, this only applies to agents in client mode, not Consul servers. | rejected requests | counter |
| `consul.client.rpc.failed` | Increments whenever a Consul agent in client mode makes an RPC request to a Consul server and fails. | requests | counter | | `consul.client.rpc.failed` | Increments whenever a Consul agent in client mode makes an RPC request to a Consul server and fails. | requests | counter |
| `consul.client.api.catalog_register.` | Increments whenever a Consul agent receives a catalog register request. | requests | counter | | `consul.client.api.catalog_register.` | Increments whenever a Consul agent receives a catalog register request. | requests | counter |
| `consul.client.api.success.catalog_register.` | Increments whenever a Consul agent successfully responds to a catalog register request. | requests | counter | | `consul.client.api.success.catalog_register.` | Increments whenever a Consul agent successfully responds to a catalog register request. | requests | counter |
@ -431,7 +431,7 @@ These metrics are used to monitor the health of the Consul servers.
| `consul.raft.last_index` | Represents the raft applied index. | index | gauge | | `consul.raft.last_index` | Represents the raft applied index. | index | gauge |
| `consul.raft.leader.dispatchLog` | Measures the time it takes for the leader to write log entries to disk. | ms | timer | | `consul.raft.leader.dispatchLog` | Measures the time it takes for the leader to write log entries to disk. | ms | timer |
| `consul.raft.leader.dispatchNumLogs` | Measures the number of logs committed to disk in a batch. | logs | gauge | | `consul.raft.leader.dispatchNumLogs` | Measures the number of logs committed to disk in a batch. | logs | gauge |
| `consul.raft.leader.lastContact` | Measures the time since the leader was last able to contact the follower nodes when checking its leader lease. It can be used as a measure for how stable the Raft timing is and how close the leader is to timing out its lease.The lease timeout is 500 ms times the [`raft_multiplier` configuration](/docs/agent/options#raft_multiplier), so this telemetry value should not be getting close to that configured value, otherwise the Raft timing is marginal and might need to be tuned, or more powerful servers might be needed. See the [Server Performance](/docs/install/performance) guide for more details. | ms | timer | | `consul.raft.leader.lastContact` | Measures the time since the leader was last able to contact the follower nodes when checking its leader lease. It can be used as a measure for how stable the Raft timing is and how close the leader is to timing out its lease.The lease timeout is 500 ms times the [`raft_multiplier` configuration](/docs/agent/config/config-files#raft_multiplier), so this telemetry value should not be getting close to that configured value, otherwise the Raft timing is marginal and might need to be tuned, or more powerful servers might be needed. See the [Server Performance](/docs/install/performance) guide for more details. | ms | timer |
| `consul.raft.leader.oldestLogAge` | The number of milliseconds since the _oldest_ log in the leader's log store was written. This can be important for replication health where write rate is high and the snapshot is large as followers may be unable to recover from a restart if restoring takes longer than the minimum value for the current leader. Compare this with `consul.raft.fsm.lastRestoreDuration` and `consul.raft.rpc.installSnapshot` to monitor. In normal usage this gauge value will grow linearly over time until a snapshot completes on the leader and the log is truncated. Note: this metric won't be emitted until the leader writes a snapshot. After an upgrade to Consul 1.10.0 it won't be emitted until the oldest log was written after the upgrade. | ms | gauge | | `consul.raft.leader.oldestLogAge` | The number of milliseconds since the _oldest_ log in the leader's log store was written. This can be important for replication health where write rate is high and the snapshot is large as followers may be unable to recover from a restart if restoring takes longer than the minimum value for the current leader. Compare this with `consul.raft.fsm.lastRestoreDuration` and `consul.raft.rpc.installSnapshot` to monitor. In normal usage this gauge value will grow linearly over time until a snapshot completes on the leader and the log is truncated. Note: this metric won't be emitted until the leader writes a snapshot. After an upgrade to Consul 1.10.0 it won't be emitted until the oldest log was written after the upgrade. | ms | gauge |
| `consul.raft.replication.heartbeat` | Measures the time taken to invoke appendEntries on a peer, so that it doesnt timeout on a periodic basis. | ms | timer | | `consul.raft.replication.heartbeat` | Measures the time taken to invoke appendEntries on a peer, so that it doesnt timeout on a periodic basis. | ms | timer |
| `consul.raft.replication.appendEntries` | Measures the time it takes to replicate log entries to followers. This is a general indicator of the load pressure on the Consul servers, as well as the performance of the communication between the servers. | ms | timer | | `consul.raft.replication.appendEntries` | Measures the time it takes to replicate log entries to followers. This is a general indicator of the load pressure on the Consul servers, as well as the performance of the communication between the servers. | ms | timer |
@ -529,7 +529,7 @@ These metrics give insight into the health of the cluster as a whole.
| `consul.memberlist.degraded.timeout` | Counts the number of times an agent was marked as a dead node, whilst not getting enough confirmations from a randomly selected list of agent nodes in an agent's membership. | occurrence / interval | counter | | `consul.memberlist.degraded.timeout` | Counts the number of times an agent was marked as a dead node, whilst not getting enough confirmations from a randomly selected list of agent nodes in an agent's membership. | occurrence / interval | counter |
| `consul.memberlist.msg.dead` | Counts the number of times an agent has marked another agent to be a dead node. | messages / interval | counter | | `consul.memberlist.msg.dead` | Counts the number of times an agent has marked another agent to be a dead node. | messages / interval | counter |
| `consul.memberlist.health.score` | Describes a node's perception of its own health based on how well it is meeting the soft real-time requirements of the protocol. This metric ranges from 0 to 8, where 0 indicates "totally healthy". This health score is used to scale the time between outgoing probes, and higher scores translate into longer probing intervals. For more details see section IV of the Lifeguard paper: https://arxiv.org/pdf/1707.00788.pdf | score | gauge | | `consul.memberlist.health.score` | Describes a node's perception of its own health based on how well it is meeting the soft real-time requirements of the protocol. This metric ranges from 0 to 8, where 0 indicates "totally healthy". This health score is used to scale the time between outgoing probes, and higher scores translate into longer probing intervals. For more details see section IV of the Lifeguard paper: https://arxiv.org/pdf/1707.00788.pdf | score | gauge |
| `consul.memberlist.msg.suspect` | Increments when an agent suspects another as failed when executing random probes as part of the gossip protocol. These can be an indicator of overloaded agents, network problems, or configuration errors where agents can not connect to each other on the [required ports](/docs/agent/options#ports). | suspect messages received / interval | counter | | `consul.memberlist.msg.suspect` | Increments when an agent suspects another as failed when executing random probes as part of the gossip protocol. These can be an indicator of overloaded agents, network problems, or configuration errors where agents can not connect to each other on the [required ports](/docs/agent/config/config-files#ports). | suspect messages received / interval | counter |
| `consul.memberlist.tcp.accept` | Counts the number of times an agent has accepted an incoming TCP stream connection. | connections accepted / interval | counter | | `consul.memberlist.tcp.accept` | Counts the number of times an agent has accepted an incoming TCP stream connection. | connections accepted / interval | counter |
| `consul.memberlist.udp.sent/received` | Measures the total number of bytes sent/received by an agent through the UDP protocol. | bytes sent or bytes received / interval | counter | | `consul.memberlist.udp.sent/received` | Measures the total number of bytes sent/received by an agent through the UDP protocol. | bytes sent or bytes received / interval | counter |
| `consul.memberlist.tcp.connect` | Counts the number of times an agent has initiated a push/pull sync with an other agent. | push/pull initiated / interval | counter | | `consul.memberlist.tcp.connect` | Counts the number of times an agent has initiated a push/pull sync with an other agent. | push/pull initiated / interval | counter |
@ -540,8 +540,8 @@ These metrics give insight into the health of the cluster as a whole.
| `consul.memberlist.msg_suspect` | The number of suspect messages that the agent has processed so far, based on the message information given by the network layer. | messages / Interval | counter | | `consul.memberlist.msg_suspect` | The number of suspect messages that the agent has processed so far, based on the message information given by the network layer. | messages / Interval | counter |
| `consul.memberlist.probeNode` | Measures the time taken to perform a single round of failure detection on a select agent. | nodes / Interval | counter | | `consul.memberlist.probeNode` | Measures the time taken to perform a single round of failure detection on a select agent. | nodes / Interval | counter |
| `consul.memberlist.pushPullNode` | Measures the number of agents that have exchanged state with this agent. | nodes / Interval | counter | | `consul.memberlist.pushPullNode` | Measures the number of agents that have exchanged state with this agent. | nodes / Interval | counter |
| `consul.serf.member.failed` | Increments when an agent is marked dead. This can be an indicator of overloaded agents, network problems, or configuration errors where agents cannot connect to each other on the [required ports](/docs/agent/options#ports). | failures / interval | counter | | `consul.serf.member.failed` | Increments when an agent is marked dead. This can be an indicator of overloaded agents, network problems, or configuration errors where agents cannot connect to each other on the [required ports](/docs/agent/config/config-files#ports). | failures / interval | counter |
| `consul.serf.member.flap` | Available in Consul 0.7 and later, this increments when an agent is marked dead and then recovers within a short time period. This can be an indicator of overloaded agents, network problems, or configuration errors where agents cannot connect to each other on the [required ports](/docs/agent/options#ports). | flaps / interval | counter | | `consul.serf.member.flap` | Available in Consul 0.7 and later, this increments when an agent is marked dead and then recovers within a short time period. This can be an indicator of overloaded agents, network problems, or configuration errors where agents cannot connect to each other on the [required ports](/docs/agent/config/config-files#ports). | flaps / interval | counter |
| `consul.serf.member.join` | Increments when an agent joins the cluster. If an agent flapped or failed this counter also increments when it re-joins. | joins / interval | counter | | `consul.serf.member.join` | Increments when an agent joins the cluster. If an agent flapped or failed this counter also increments when it re-joins. | joins / interval | counter |
| `consul.serf.member.left` | Increments when an agent leaves the cluster. | leaves / interval | counter | | `consul.serf.member.left` | Increments when an agent leaves the cluster. | leaves / interval | counter |
| `consul.serf.events` | Increments when an agent processes an [event](/commands/event). Consul uses events internally so there may be additional events showing in telemetry. There are also a per-event counters emitted as `consul.serf.events.`. | events / interval | counter | | `consul.serf.events` | Increments when an agent processes an [event](/commands/event). Consul uses events internally so there may be additional events showing in telemetry. There are also a per-event counters emitted as `consul.serf.events.`. | events / interval | counter |

View File

@ -173,11 +173,11 @@ So monthly cost would be calculated as:
- 500 ⨉ 13.3 = 6,650 certificates issued in dc3 - 500 ⨉ 13.3 = 6,650 certificates issued in dc3
The number of certificates issued could be reduced by increasing The number of certificates issued could be reduced by increasing
[`leaf_cert_ttl`](/docs/agent/options#ca_leaf_cert_ttl) in the CA Provider [`leaf_cert_ttl`](/docs/agent/config/config-files#ca_leaf_cert_ttl) in the CA Provider
configuration if the longer lived credentials are an acceptable risk tradeoff configuration if the longer lived credentials are an acceptable risk tradeoff
against the cost. against the cost.
<!-- Reference style links --> <!-- Reference style links -->
[`ca_config`]: /docs/agent/options#connect_ca_config [`ca_config`]: /docs/agent/config/config-files#connect_ca_config
[`ca_provider`]: /docs/agent/options#connect_ca_provider [`ca_provider`]: /docs/agent/config/config-files#connect_ca_provider
[`/connect/ca/configuration`]: /api-docs/connect/ca#update-ca-configuration [`/connect/ca/configuration`]: /api-docs/connect/ca#update-ca-configuration

View File

@ -92,7 +92,7 @@ Connect is enabled - the PrivateKey and RootCert fields have not been set, so th
been generated (as seen above in the roots list). been generated (as seen above in the roots list).
There are two ways to have the Consul CA use a custom private key and root certificate: There are two ways to have the Consul CA use a custom private key and root certificate:
either through the `ca_config` section of the [Agent configuration](/docs/agent/options#connect_ca_config) (which can only be used during the cluster's either through the `ca_config` section of the [Agent configuration](/docs/agent/config/config-files#connect_ca_config) (which can only be used during the cluster's
initial bootstrap) or through the [Update CA Configuration endpoint](/api/connect/ca#update-ca-configuration). initial bootstrap) or through the [Update CA Configuration endpoint](/api/connect/ca#update-ca-configuration).
Currently Consul requires that root certificates are valid [SPIFFE SVID Signing certificates](https://github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md) and that the URI encoded Currently Consul requires that root certificates are valid [SPIFFE SVID Signing certificates](https://github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md) and that the URI encoded

View File

@ -47,7 +47,7 @@ will generate the initial root certificates and setup the internal Consul server
state. state.
For the initial bootstrap, the CA provider can be configured through the For the initial bootstrap, the CA provider can be configured through the
[Agent configuration](/docs/agent/options#connect_ca_config). After [Agent configuration](/docs/agent/config/config-files#connect_ca_config). After
initialization, the CA can only be updated through the initialization, the CA can only be updated through the
[Update CA Configuration API endpoint](/api/connect/ca#update-ca-configuration). [Update CA Configuration API endpoint](/api/connect/ca#update-ca-configuration).
If a CA is already initialized, any changes to the CA configuration in the If a CA is already initialized, any changes to the CA configuration in the

View File

@ -280,6 +280,6 @@ path "/connect_inter/*" {
</CodeBlockConfig> </CodeBlockConfig>
<!-- Reference style links --> <!-- Reference style links -->
[`ca_config`]: /docs/agent/options#connect_ca_config [`ca_config`]: /docs/agent/config/config-files#connect_ca_config
[`ca_provider`]: /docs/agent/options#connect_ca_provider [`ca_provider`]: /docs/agent/config/config-files#connect_ca_provider
[`/connect/ca/configuration`]: /api-docs/connect/ca#update-ca-configuration [`/connect/ca/configuration`]: /api-docs/connect/ca#update-ca-configuration

View File

@ -28,7 +28,7 @@ You can configure the settings defined in the `exported-services` configuration
## Usage ## Usage
1. Verify that your datacenter meets the conditions specified in the [Requirements](#requirements). 1. Verify that your datacenter meets the conditions specified in the [Requirements](#requirements).
1. Specify the `exported-services` configuration in the agent configuration file (see [`config_entries`](/docs/agent/options#config_entries)) as described in [Configuration](#configuration). 1. Specify the `exported-services` configuration in the agent configuration file (see [`config_entries`](/docs/agent/config/config-files#config_entries)) as described in [Configuration](#configuration).
1. Apply the configuration using one of the following methods: 1. Apply the configuration using one of the following methods:
- Kubernetes CRD: Refer to the [Custom Resource Definitions](/docs/k8s/crds) documentation for details. - Kubernetes CRD: Refer to the [Custom Resource Definitions](/docs/k8s/crds) documentation for details.
- Issue the `consul config write` command: Refer to the [Consul Config Write](/commands/config/write) documentation for details. - Issue the `consul config write` command: Refer to the [Consul Config Write](/commands/config/write) documentation for details.

View File

@ -49,7 +49,7 @@ See [Agent - Config Entries](/docs/agent/config-entries).
## Using Configuration Entries For Service Defaults ## Using Configuration Entries For Service Defaults
Outside of Kubernetes, when the agent is Outside of Kubernetes, when the agent is
[configured](/docs/agent/options#enable_central_service_config) to enable [configured](/docs/agent/config/config-files#enable_central_service_config) to enable
central service configurations, it will look for service configuration defaults central service configurations, it will look for service configuration defaults
that match a registering service instance. If it finds any, the agent will merge that match a registering service instance. If it finds any, the agent will merge
those defaults with the service instance configuration. This allows for things those defaults with the service instance configuration. This allows for things

View File

@ -390,8 +390,8 @@ spec:
type: 'bool: false', type: 'bool: false',
description: `If enabled, all HTTP and gRPC checks registered with the agent are exposed through Envoy. description: `If enabled, all HTTP and gRPC checks registered with the agent are exposed through Envoy.
Envoy will expose listeners for these checks and will only accept connections originating from localhost or Consul's Envoy will expose listeners for these checks and will only accept connections originating from localhost or Consul's
[advertise address](/docs/agent/options#advertise). The port for these listeners are dynamically allocated from [advertise address](/docs/agent/config/config-files#advertise). The port for these listeners are dynamically allocated from
[expose_min_port](/docs/agent/options#expose_min_port) to [expose_max_port](/docs/agent/options#expose_max_port). [expose_min_port](/docs/agent/config/config-files#expose_min_port) to [expose_max_port](/docs/agent/config/config-files#expose_max_port).
This flag is useful when a Consul client cannot reach registered services over localhost.`, This flag is useful when a Consul client cannot reach registered services over localhost.`,
}, },
{ {

View File

@ -662,8 +662,8 @@ spec:
type: 'bool: false', type: 'bool: false',
description: `If enabled, all HTTP and gRPC checks registered with the agent are exposed through Envoy. description: `If enabled, all HTTP and gRPC checks registered with the agent are exposed through Envoy.
Envoy will expose listeners for these checks and will only accept connections originating from localhost or Consul's Envoy will expose listeners for these checks and will only accept connections originating from localhost or Consul's
[advertise address](/docs/agent/options#advertise). The port for these listeners are dynamically allocated from [advertise address](/docs/agent/config/config-files#advertise). The port for these listeners are dynamically allocated from
[expose_min_port](/docs/agent/options#expose_min_port) to [expose_max_port](/docs/agent/options#expose_max_port). [expose_min_port](/docs/agent/config/config-files#expose_min_port) to [expose_max_port](/docs/agent/config/config-files#expose_max_port).
This flag is useful when a Consul client cannot reach registered services over localhost. One example is when running This flag is useful when a Consul client cannot reach registered services over localhost. One example is when running
Consul on Kubernetes, and Consul agents run in their own pods.`, Consul on Kubernetes, and Consul agents run in their own pods.`,
}, },

View File

@ -488,7 +488,7 @@ spec:
first permission to match in the list is terminal and stops further first permission to match in the list is terminal and stops further
evaluation. As with L4 intentions, traffic that fails to match any of the evaluation. As with L4 intentions, traffic that fails to match any of the
provided permissions in this intention will be subject to the default provided permissions in this intention will be subject to the default
intention behavior is defined by the default [ACL policy](/docs/agent/options#acl_default_policy).<br><br> intention behavior is defined by the default [ACL policy](/docs/agent/config/config-files#acl_default_policy).<br><br>
This should be omitted for an L4 intention as it is mutually exclusive with This should be omitted for an L4 intention as it is mutually exclusive with
the \`Action\` field.<br><br> the \`Action\` field.<br><br>
Setting \`Permissions\` is not valid if a wildcard is used for the \`Name\` or \`Namespace\` because they can only be Setting \`Permissions\` is not valid if a wildcard is used for the \`Name\` or \`Namespace\` because they can only be
@ -498,7 +498,7 @@ spec:
first permission to match in the list is terminal and stops further first permission to match in the list is terminal and stops further
evaluation. As with L4 intentions, traffic that fails to match any of the evaluation. As with L4 intentions, traffic that fails to match any of the
provided permissions in this intention will be subject to the default provided permissions in this intention will be subject to the default
intention behavior is defined by the default [ACL policy](/docs/agent/options#acl_default_policy).<br><br> intention behavior is defined by the default [ACL policy](/docs/agent/config/config-files#acl_default_policy).<br><br>
This should be omitted for an L4 intention as it is mutually exclusive with This should be omitted for an L4 intention as it is mutually exclusive with
the \`action\` field.<br><br> the \`action\` field.<br><br>
Setting \`permissions\` is not valid if a wildcard is used for the \`spec.destination.name\` or \`spec.destination.namespace\` Setting \`permissions\` is not valid if a wildcard is used for the \`spec.destination.name\` or \`spec.destination.namespace\`

View File

@ -22,7 +22,7 @@ The first step to use Connect is to enable Connect for your Consul
cluster. By default, Connect is disabled. Enabling Connect requires changing cluster. By default, Connect is disabled. Enabling Connect requires changing
the configuration of only your Consul _servers_ (not client agents). To enable the configuration of only your Consul _servers_ (not client agents). To enable
Connect, add the following to a new or existing Connect, add the following to a new or existing
[server configuration file](/docs/agent/options). In an existing cluster, this configuration change requires a Consul server restart, which you can perform one server at a time to maintain availability. In HCL: [server configuration file](/docs/agent/config/config-files). In an existing cluster, this configuration change requires a Consul server restart, which you can perform one server at a time to maintain availability. In HCL:
```hcl ```hcl
connect { connect {
@ -43,20 +43,20 @@ connection attempts to fail until Connect is enabled on the server agents.
Other optional Connect configurations that you can set in the server Other optional Connect configurations that you can set in the server
configuration file include: configuration file include:
- [certificate authority settings](/docs/agent/options#connect) - [certificate authority settings](/docs/agent/config/config-files#connect)
- [token replication](/docs/agent/options#acl_tokens_replication) - [token replication](/docs/agent/config/config-files#acl_tokens_replication)
- [dev mode](/docs/agent/options#_dev) - [dev mode](/docs/agent/config/cli-flags#_dev)
- [server host name verification](/docs/agent/options#verify_server_hostname) - [server host name verification](/docs/agent/config/config-files#verify_server_hostname)
If you would like to use Envoy as your Connect proxy you will need to [enable If you would like to use Envoy as your Connect proxy you will need to [enable
gRPC](/docs/agent/options#grpc_port). gRPC](/docs/agent/config/config-files#grpc_port).
Additionally if you plan on using the observability features of Connect, it can Additionally if you plan on using the observability features of Connect, it can
be convenient to configure your proxies and services using [configuration be convenient to configure your proxies and services using [configuration
entries](/docs/agent/config-entries) which you can interact with using the entries](/docs/agent/config-entries) which you can interact with using the
CLI or API, or by creating configuration entry files. You will want to enable CLI or API, or by creating configuration entry files. You will want to enable
[centralized service [centralized service
configuration](/docs/agent/options#enable_central_service_config) on configuration](/docs/agent/config/config-files#enable_central_service_config) on
clients, which allows each service's proxy configuration to be managed centrally clients, which allows each service's proxy configuration to be managed centrally
via API. via API.

View File

@ -109,10 +109,10 @@ externally routable IPs at the service level.
## Intention Replication ## Intention Replication
Intention replication happens automatically but requires the Intention replication happens automatically but requires the
[`primary_datacenter`](/docs/agent/options#primary_datacenter) [`primary_datacenter`](/docs/agent/config/config-files#primary_datacenter)
configuration to be set to specify a datacenter that is authoritative configuration to be set to specify a datacenter that is authoritative
for intentions. In production setups with ACLs enabled, the for intentions. In production setups with ACLs enabled, the
[replication token](/docs/agent/options#acl_tokens_replication) must also [replication token](/docs/agent/config/config-files#acl_tokens_replication) must also
be set in the secondary datacenter server's configuration. be set in the secondary datacenter server's configuration.
## Certificate Authority Federation ## Certificate Authority Federation

View File

@ -40,8 +40,8 @@ the [hosts](/docs/connect/config-entries/ingress-gateway#hosts) field.
Ingress gateways also require that your Consul datacenters are configured correctly: Ingress gateways also require that your Consul datacenters are configured correctly:
- You'll need to use Consul version 1.8.0 or newer. - You'll need to use Consul version 1.8.0 or newer.
- Consul [Connect](/docs/agent/options#connect) must be enabled on the datacenter's Consul servers. - Consul [Connect](/docs/agent/config/config-files#connect) must be enabled on the datacenter's Consul servers.
- [gRPC](/docs/agent/options#grpc_port) must be enabled on all client agents. - [gRPC](/docs/agent/config/config-files#grpc_port) must be enabled on all client agents.
Currently, [Envoy](https://www.envoyproxy.io/) is the only proxy with ingress gateway capabilities in Consul. Currently, [Envoy](https://www.envoyproxy.io/) is the only proxy with ingress gateway capabilities in Consul.

View File

@ -30,12 +30,13 @@ Ensure that your Consul environment meets the following requirements.
* Consul version 1.6.0 or newer. * Consul version 1.6.0 or newer.
* A local Consul agent is required to manage its configuration. * A local Consul agent is required to manage its configuration.
* Consul [Connect](/docs/agent/options#connect) must be enabled in both datacenters. * Consul [Connect](/docs/agent/config/config-files#connect) must be enabled in both datacenters.
* Each [datacenter](/docs/agent/options#datacenter) must have a unique name. * Each [datacenter](/docs/agent/config/config-files#datacenter) must have a unique name.
* Each datacenters must be [WAN joined](https://learn.hashicorp.com/tutorials/consul/federarion-gossip-wan). * Each datacenters must be [WAN joined](https://learn.hashicorp.com/tutorials/consul/federarion-gossip-wan).
* The [primary datacenter](/docs/agent/options#primary_datacenter) must be set to the same value in both datacenters. This specifies which datacenter is the authority for Connect certificates and is required for services in all datacenters to establish mutual TLS with each other. * The [primary datacenter](/docs/agent/config/config-files#primary_datacenter) must be set to the same value in both datacenters. This specifies which datacenter is the authority for Connect certificates and is required for services in all datacenters to establish mutual TLS with each other.
* [gRPC](/docs/agent/options#grpc_port) must be enabled. * [gRPC](/docs/agent/config/config-files#grpc_port) must be enabled.
* If you want to [enable gateways globally](/docs/connect/gateways/mesh-gateway/service-to-service-traffic-datacenters#enabling-gateways-globally) you must enable [centralized configuration](/docs/agent/options#enable_central_service_config). * If you want to [enable gateways globally](/docs/connect/mesh-gateway#enabling-gateways-globally) you must enable [centralized configuration](/docs/agent/config/config-files#enable_central_service_config).
* The [primary datacenter](/docs/agent/config/config-files#primary_datacenter) must be set to the same value in both datacenters. This specifies which datacenter is the authority for Connect certificates and is required for services in all datacenters to establish mutual TLS with each other.
### Network ### Network

View File

@ -23,10 +23,16 @@ Ensure that your Consul environment meets the following requirements.
### Consul ### Consul
* Consul Enterprise version 1.11.0 or newer. * Consul Enterprise version 1.11.0 or newer.
* A local Consul agent is required to manage its configuration. * A local Consul agent is required to manage its configuration.
* Consul service mesh must be enabled in all partitions. Refer to the [`connect` documentation](/docs/agent/options#connect) for details.
* Each partition must have a unique name. Refer to the [admin partitions documentation](/docs/enterprise/admin-partitions) for details. * Each partition must have a unique name. Refer to the [admin partitions documentation](/docs/enterprise/admin-partitions) for details.
* If you want to [enable gateways globally](/docs/connect/gateways/mesh-gateway/service-to-service-traffic-datacenters#enabling-gateways-globally) you must enable [centralized configuration](/docs/agent/options#enable_central_service_config).
* Consul service mesh must be enabled in all partitions. Refer to the [`connect` documentation](/docs/agent/config/config-files#connect) for details.
* Each partition must have a unique name. Refer to the [admin partitions documentation](/docs/enteprise/admin-partitions) for details.
* If you want to [enable gateways globally](/docs/connect/mesh-gateway#enabling-gateways-globally) you must enable [centralized configuration](/docs/agent/config/config-files#enable_central_service_config).
### Proxy ### Proxy

View File

@ -126,10 +126,9 @@ connect {
} }
``` ```
The [`start_join_wan`](/docs/agent/options#start_join_wan) or [`retry_join_wan`](/docs/agent/options#retry_join_wan) are only used for the [traditional federation process](/docs/k8s/installation/multi-cluster#traditional-wan-federation). They must be omitted when federating Consul servers via gateways. References to [`start_join_wan`](/docs/agent/config/config-files#start_join_wan) or [`retry_join_wan`](/docs/agent/config/config-files#retry_join_wan) should be omitted.
-> The `primary_gateways` configuration can also use `go-discover` syntax just -> The `primary_gateways` configuration can use the same `go-discover` syntax used in `retry_join_wan`.
like `retry_join_wan`.
### Bootstrapping ### Bootstrapping

View File

@ -59,8 +59,8 @@ Each terminating gateway needs:
Terminating gateways also require that your Consul datacenters are configured correctly: Terminating gateways also require that your Consul datacenters are configured correctly:
- You'll need to use Consul version 1.8.0 or newer. - You'll need to use Consul version 1.8.0 or newer.
- Consul [Connect](/docs/agent/options#connect) must be enabled on the datacenter's Consul servers. - Consul [Connect](/docs/agent/config/config-files#connect) must be enabled on the datacenter's Consul servers.
- [gRPC](/docs/agent/options#grpc_port) must be enabled on all client agents. - [gRPC](/docs/agent/config/config-files#grpc_port) must be enabled on all client agents.
Currently, [Envoy](https://www.envoyproxy.io/) is the only proxy with terminating gateway capabilities in Consul. Currently, [Envoy](https://www.envoyproxy.io/) is the only proxy with terminating gateway capabilities in Consul.

View File

@ -25,7 +25,7 @@ is allowed by testing the intentions. If authorize returns false the
connection must be terminated. connection must be terminated.
The default intention behavior is defined by the default [ACL The default intention behavior is defined by the default [ACL
policy](/docs/agent/options#acl_default_policy). If the default ACL policy is policy](/docs/agent/config/config-files#acl_default_policy). If the default ACL policy is
"allow all", then all Connect connections are allowed by default. If the "allow all", then all Connect connections are allowed by default. If the
default ACL policy is "deny all", then all Connect connections are denied by default ACL policy is "deny all", then all Connect connections are denied by
default. default.

View File

@ -49,7 +49,7 @@ target destination. After verifying the TLS client certificate, the cached
intentions should be consulted for each incoming connection/request to intentions should be consulted for each incoming connection/request to
determine if it should be accepted or rejected. determine if it should be accepted or rejected.
The default intention behavior is defined by the [`default_policy`](/docs/agent/options#acl_default_policy) configuration. The default intention behavior is defined by the [`default_policy`](/docs/agent/config/config-files#acl_default_policy) configuration.
If the configuration is set `allow`, then all service mesh Connect connections will be allowed by default. If the configuration is set `allow`, then all service mesh Connect connections will be allowed by default.
If is set to `deny`, then all connections or requests will be denied by default. If is set to `deny`, then all connections or requests will be denied by default.

View File

@ -18,10 +18,10 @@ to:
- Define the upstreams for each of your services. - Define the upstreams for each of your services.
If you are using Envoy as your sidecar proxy, you will need to [enable If you are using Envoy as your sidecar proxy, you will need to [enable
gRPC](/docs/agent/options#grpc_port) on your client agents. To define the gRPC](/docs/agent/config/config-files#grpc_port) on your client agents. To define the
metrics destination and service protocol you may want to enable [configuration metrics destination and service protocol you may want to enable [configuration
entries](/docs/agent/options#config_entries) and [centralized service entries](/docs/agent/config/config-files#config_entries) and [centralized service
configuration](/docs/agent/options#enable_central_service_config). configuration](/docs/agent/config/config-files#enable_central_service_config).
### Kubernetes ### Kubernetes
If you are using Kubernetes, the Helm chart can simplify much of the configuration needed to enable observability. See If you are using Kubernetes, the Helm chart can simplify much of the configuration needed to enable observability. See

View File

@ -47,11 +47,11 @@ UI. If there are multiple clients with the UI enabled in a datacenter for
redundancy these configurations must be added to all of them. redundancy these configurations must be added to all of them.
We assume that the UI is already enabled by setting We assume that the UI is already enabled by setting
[`ui_config.enabled`](/docs/agent/options#ui_config_enabled) to `true` in the [`ui_config.enabled`](/docs/agent/config/config-files#ui_config_enabled) to `true` in the
agent's configuration file. agent's configuration file.
To use the built-in Prometheus provider To use the built-in Prometheus provider
[`ui_config.metrics_provider`](/docs/agent/options#ui_config_metrics_provider) [`ui_config.metrics_provider`](/docs/agent/config/config-files#ui_config_metrics_provider)
must be set to `prometheus`. must be set to `prometheus`.
The UI must query the metrics provider through a proxy endpoint. This simplifies The UI must query the metrics provider through a proxy endpoint. This simplifies
@ -59,7 +59,7 @@ deployment where Prometheus is not exposed externally to UI user's browsers.
To set this up, provide the URL that the _Consul agent_ should use to reach the To set this up, provide the URL that the _Consul agent_ should use to reach the
Prometheus server in Prometheus server in
[`ui_config.metrics_proxy.base_url`](/docs/agent/options#ui_config_metrics_proxy_base_url). [`ui_config.metrics_proxy.base_url`](/docs/agent/config/config-files#ui_config_metrics_proxy_base_url).
For example in Kubernetes, the Prometheus helm chart by default installs a For example in Kubernetes, the Prometheus helm chart by default installs a
service named `prometheus-server` so each Consul agent can reach it on service named `prometheus-server` so each Consul agent can reach it on
`http://prometheus-server` (using Kubernetes' DNS resolution). `http://prometheus-server` (using Kubernetes' DNS resolution).
@ -124,7 +124,7 @@ service-specific dashboard in an external tool like
[Grafana](https://grafana.com) or a hosted provider. [Grafana](https://grafana.com) or a hosted provider.
To configure this, you must provide a URL template in the [agent configuration To configure this, you must provide a URL template in the [agent configuration
file](/docs/agent/options#ui_config_dashboard_url_templates) for all agents that file](/docs/agent/config/config-files#ui_config_dashboard_url_templates) for all agents that
have the UI enabled. The template is essentially the URL to the external have the UI enabled. The template is essentially the URL to the external
dashboard, but can have placeholder values which will be replaced with the dashboard, but can have placeholder values which will be replaced with the
service name, namespace and datacenter where appropriate to allow deep-linking service name, namespace and datacenter where appropriate to allow deep-linking
@ -659,12 +659,12 @@ ui_config {
</CodeTabs> </CodeTabs>
More than one JavaScript file may be specified in More than one JavaScript file may be specified in
[`metrics_provider_files`](/docs/agent/options#ui_config_metrics_provider_files) [`metrics_provider_files`](/docs/agent/config/config-files#ui_config_metrics_provider_files)
and all we be served allowing flexibility if needed to include dependencies. and all we be served allowing flexibility if needed to include dependencies.
Only one metrics provider can be configured and used at one time. Only one metrics provider can be configured and used at one time.
The The
[`metrics_provider_options_json`](/docs/agent/options#ui_config_metrics_provider_options_json) [`metrics_provider_options_json`](/docs/agent/config/config-files#ui_config_metrics_provider_options_json)
field is an optional literal JSON object which is passed to the provider's field is an optional literal JSON object which is passed to the provider's
`init` method at startup time. This allows configuring arbitrary parameters for `init` method at startup time. This allows configuring arbitrary parameters for
the provider in config rather than hard coding them into the provider itself to the provider in config rather than hard coding them into the provider itself to
@ -673,7 +673,7 @@ make providers more reusable.
The provider may fetch metrics directly from another source although in this The provider may fetch metrics directly from another source although in this
case the agent will probably need to serve the correct CORS headers to prevent case the agent will probably need to serve the correct CORS headers to prevent
browsers from blocking these requests. These may be configured with browsers from blocking these requests. These may be configured with
[`http_config.response_headers`](/docs/agent/options#response_headers). [`http_config.response_headers`](/docs/agent/config/config-files#response_headers).
Alternatively, the provider may choose to use the [built-in metrics Alternatively, the provider may choose to use the [built-in metrics
proxy](#metrics-proxy) to avoid cross domain issues or to inject additional proxy](#metrics-proxy) to avoid cross domain issues or to inject additional

View File

@ -52,9 +52,10 @@ All fields are optional with a reasonable default.
_public_ mTLS listener to. It defaults to the same address the agent binds to. _public_ mTLS listener to. It defaults to the same address the agent binds to.
- `bind_port` - The port the proxy will bind its _public_ - `bind_port` - The port the proxy will bind its _public_
mTLS listener to. If not provided, the agent will assign a random port from its mTLS listener to. If not provided, the agent will attempt to assign one from its
configured proxy port range specified by [`sidecar_min_port`](/docs/agent/options#sidecar_min_port) [configured proxy port range](/docs/agent/config/config-files#sidecar_min_port) if available.
and [`sidecar_max_port`](/docs/agent/options#sidecar_max_port). By default the range is [20000, 20255] and the port is selected at random from
that range.
- `local_service_address`- The `[address]:port` - `local_service_address`- The `[address]:port`
that the proxy should use to connect to the local application instance. By default that the proxy should use to connect to the local application instance. By default

View File

@ -184,7 +184,7 @@ the upstream listeners of any downstream service.
One example is how users can define a service's protocol in a [`service-defaults` configuration One example is how users can define a service's protocol in a [`service-defaults` configuration
entry](/docs/connect/config-entries/service-defaults). Agents with entry](/docs/connect/config-entries/service-defaults). Agents with
[`enable_central_service_config`](/docs/agent/options#enable_central_service_config) [`enable_central_service_config`](/docs/agent/config/config-files#enable_central_service_config)
set to true will automatically discover the protocol when configuring a proxy set to true will automatically discover the protocol when configuring a proxy
for a service. The proxy will discover the main protocol of the service it for a service. The proxy will discover the main protocol of the service it
represents and use this to configure its main public listener. It will also represents and use this to configure its main public listener. It will also

View File

@ -24,7 +24,7 @@ Managed proxies have been deprecated since Consul 1.3 and have been fully remove
in Consul 1.6. Anyone using Managed Proxies should aim to change their workflow in Consul 1.6. Anyone using Managed Proxies should aim to change their workflow
as soon as possible to avoid issues with a later upgrade. as soon as possible to avoid issues with a later upgrade.
After transitioning away from all managed proxy usage, the `proxy` subdirectory inside [`data_dir`](/docs/agent/options#_data_dir) (specified in Consul config) can be deleted to remove extraneous configuration files and free up disk space. After transitioning away from all managed proxy usage, the `proxy` subdirectory inside [`data_dir`](/docs/agent/config/cli-flags#_data_dir) (specified in Consul config) can be deleted to remove extraneous configuration files and free up disk space.
**new and known issues will not be fixed**. **new and known issues will not be fixed**.
@ -79,7 +79,7 @@ via agent configuration files. They _cannot_ be registered via the HTTP API.
And 2.) Managed proxies are not started at all if Consul is running as root. And 2.) Managed proxies are not started at all if Consul is running as root.
Both of these default configurations help prevent arbitrary process Both of these default configurations help prevent arbitrary process
execution or privilege escalation. This behavior can be configured execution or privilege escalation. This behavior can be configured
[per-agent](/docs/agent/options). [per-agent](/docs/agent/config).
### Lifecycle ### Lifecycle
@ -275,6 +275,6 @@ level logs showing service discovery, certificate and authorization information.
~> **Note:** In `-dev` mode there is no `data_dir` unless one is explicitly ~> **Note:** In `-dev` mode there is no `data_dir` unless one is explicitly
configured so logging is disabled. You can access logs by providing the configured so logging is disabled. You can access logs by providing the
[`-data-dir`](/docs/agent/options#_data_dir) CLI option. If a data dir is [`-data-dir`](/docs/agent/config/cli-flags#_data_dir) CLI option. If a data dir is
configured, this will also cause proxy processes to stay running when the agent configured, this will also cause proxy processes to stay running when the agent
terminates as described in [Lifecycle](#lifecycle). terminates as described in [Lifecycle](#lifecycle).

View File

@ -437,8 +437,8 @@ registrations](/docs/discovery/services#service-definition-parameter-case).
- `checks` `(bool: false)` - If enabled, all HTTP and gRPC checks registered with the agent are exposed through Envoy. - `checks` `(bool: false)` - If enabled, all HTTP and gRPC checks registered with the agent are exposed through Envoy.
Envoy will expose listeners for these checks and will only accept connections originating from localhost or Consul's Envoy will expose listeners for these checks and will only accept connections originating from localhost or Consul's
[advertise address](/docs/agent/options#advertise). The port for these listeners are dynamically allocated from [advertise address](/docs/agent/config/config-files#advertise). The port for these listeners are dynamically allocated from
[expose_min_port](/docs/agent/options#expose_min_port) to [expose_max_port](/docs/agent/options#expose_max_port). [expose_min_port](/docs/agent/config/config-files#expose_min_port) to [expose_max_port](/docs/agent/config/config-files#expose_max_port).
This flag is useful when a Consul client cannot reach registered services over localhost. One example is when running This flag is useful when a Consul client cannot reach registered services over localhost. One example is when running
Consul on Kubernetes, and Consul agents run in their own pods. Consul on Kubernetes, and Consul agents run in their own pods.
- `paths` `array<Path>: []` - A list of paths to expose through Envoy. - `paths` `array<Path>: []` - A list of paths to expose through Envoy.

View File

@ -130,9 +130,15 @@ proxy.
- `name` - Defaults to being `<parent-service-name>-sidecar-proxy`. - `name` - Defaults to being `<parent-service-name>-sidecar-proxy`.
- `tags` - Defaults to the tags of the parent service. - `tags` - Defaults to the tags of the parent service.
- `meta` - Defaults to the service metadata of the parent service. - `meta` - Defaults to the service metadata of the parent service.
<<<<<<< HEAD
- `port` - Defaults to being auto-assigned from a configurable - `port` - Defaults to being auto-assigned from a configurable
range specified by [`sidecar_min_port`](/docs/agent/options#sidecar_min_port) range specified by [`sidecar_min_port`](/docs/agent/options#sidecar_min_port)
and [`sidecar_max_port`](/docs/agent/options#sidecar_max_port). and [`sidecar_max_port`](/docs/agent/options#sidecar_max_port).
=======
- `port` - Defaults to being auto-assigned from a [configurable
range](/docs/agent/config/config-files#sidecar_min_port) that is
by default `[21000, 21255]`.
>>>>>>> cd907b75cebdefe62a30986e0cdc7bd528c52159
- `kind` - Defaults to `connect-proxy`. This can't be overridden currently. - `kind` - Defaults to `connect-proxy`. This can't be overridden currently.
- `check`, `checks` - By default we add a TCP check on the local address and - `check`, `checks` - By default we add a TCP check on the local address and
port for the proxy, and a [service alias port for the proxy, and a [service alias

View File

@ -34,10 +34,10 @@ There are several different kinds of checks:
In Consul 0.9.0 and later, script checks are not enabled by default. To use them you In Consul 0.9.0 and later, script checks are not enabled by default. To use them you
can either use : can either use :
- [`enable_local_script_checks`](/docs/agent/options#_enable_local_script_checks): - [`enable_local_script_checks`](/docs/agent/config/cli-flags#_enable_local_script_checks):
enable script checks defined in local config files. Script checks defined via the HTTP enable script checks defined in local config files. Script checks defined via the HTTP
API will not be allowed. API will not be allowed.
- [`enable_script_checks`](/docs/agent/options#_enable_script_checks): enable - [`enable_script_checks`](/docs/agent/config/cli-flags#_enable_script_checks): enable
script checks regardless of how they are defined. script checks regardless of how they are defined.
~> **Security Warning:** Enabling script checks in some configurations may ~> **Security Warning:** Enabling script checks in some configurations may
@ -105,7 +105,7 @@ There are several different kinds of checks:
has to be performed is configurable which makes it possible to run containers which has to be performed is configurable which makes it possible to run containers which
have different shells on the same host. Check output for Docker is limited to have different shells on the same host. Check output for Docker is limited to
4KB. Any output larger than this will be truncated. In Consul 0.9.0 and later, the agent 4KB. Any output larger than this will be truncated. In Consul 0.9.0 and later, the agent
must be configured with [`enable_script_checks`](/docs/agent/options#_enable_script_checks) must be configured with [`enable_script_checks`](/docs/agent/config/cli-flags#_enable_script_checks)
set to `true` in order to enable Docker health checks. set to `true` in order to enable Docker health checks.
- `gRPC + Interval` - These checks are intended for applications that support the standard - `gRPC + Interval` - These checks are intended for applications that support the standard
@ -462,7 +462,7 @@ This is the only convention that Consul depends on. Any output of the script
will be captured and stored in the `output` field. will be captured and stored in the `output` field.
In Consul 0.9.0 and later, the agent must be configured with In Consul 0.9.0 and later, the agent must be configured with
[`enable_script_checks`](/docs/agent/options#_enable_script_checks) set to `true` [`enable_script_checks`](/docs/agent/config/cli-flags#_enable_script_checks) set to `true`
in order to enable script checks. in order to enable script checks.
## Initial Health Check Status ## Initial Health Check Status
@ -538,7 +538,7 @@ provided by the node will remain unchanged.
## Agent Certificates for TLS Checks ## Agent Certificates for TLS Checks
The [enable_agent_tls_for_checks](/docs/agent/options#enable_agent_tls_for_checks) The [enable_agent_tls_for_checks](/docs/agent/config/config-files#enable_agent_tls_for_checks)
agent configuration option can be utilized to have HTTP or gRPC health checks agent configuration option can be utilized to have HTTP or gRPC health checks
to use the agent's credentials when configured for TLS. to use the agent's credentials when configured for TLS.

View File

@ -21,18 +21,18 @@ are located in the `us-east-1` datacenter, and have no failing health checks.
It's that simple! It's that simple!
There are a number of configuration options that are important for the DNS interface, There are a number of configuration options that are important for the DNS interface,
specifically [`client_addr`](/docs/agent/options#client_addr),[`ports.dns`](/docs/agent/options#dns_port), specifically [`client_addr`](/docs/agent/config/config-files#client_addr),[`ports.dns`](/docs/agent/config/config-files#dns_port),
[`recursors`](/docs/agent/options#recursors),[`domain`](/docs/agent/options#domain), [`recursors`](/docs/agent/config/config-files#recursors),[`domain`](/docs/agent/config/config-files#domain),
[`alt_domain`](/docs/agent/options#alt_domain), and [`dns_config`](/docs/agent/options#dns_config). [`alt_domain`](/docs/agent/config/config-files#alt_domain), and [`dns_config`](/docs/agent/config/config-files#dns_config).
By default, Consul will listen on 127.0.0.1:8600 for DNS queries in the `consul.` By default, Consul will listen on 127.0.0.1:8600 for DNS queries in the `consul.`
domain, without support for further DNS recursion. Please consult the domain, without support for further DNS recursion. Please consult the
[documentation on configuration options](/docs/agent/options), [documentation on configuration options](/docs/agent/config),
specifically the configuration items linked above, for more details. specifically the configuration items linked above, for more details.
There are a few ways to use the DNS interface. One option is to use a custom There are a few ways to use the DNS interface. One option is to use a custom
DNS resolver library and point it at Consul. Another option is to set Consul DNS resolver library and point it at Consul. Another option is to set Consul
as the DNS server for a node and provide a as the DNS server for a node and provide a
[`recursors`](/docs/agent/options#recursors) configuration so that non-Consul queries [`recursors`](/docs/agent/config/config-files#recursors) configuration so that non-Consul queries
can also be resolved. The last method is to forward all queries for the "consul." can also be resolved. The last method is to forward all queries for the "consul."
domain to a Consul agent from the existing DNS server. Review the domain to a Consul agent from the existing DNS server. Review the
[DNS Forwarding tutorial](https://learn.hashicorp.com/tutorials/consul/dns-forwarding?utm_source=consul.io&utm_medium=docs) for examples. [DNS Forwarding tutorial](https://learn.hashicorp.com/tutorials/consul/dns-forwarding?utm_source=consul.io&utm_medium=docs) for examples.
@ -412,15 +412,15 @@ are not truncated.
## Alternative Domain ## Alternative Domain
By default, Consul responds to DNS queries in the `consul` domain, By default, Consul responds to DNS queries in the `consul` domain,
but you can set a specific domain for responding to DNS queries by configuring the [`domain`](/docs/agent/options#domain) parameter. but you can set a specific domain for responding to DNS queries by configuring the [`domain`](/docs/agent/config/config-files#domain) parameter.
In some instances, Consul may need to respond to queries in more than one domain, In some instances, Consul may need to respond to queries in more than one domain,
such as during a DNS migration or to distinguish between internal and external queries. such as during a DNS migration or to distinguish between internal and external queries.
Consul versions 1.5.2+ can be configured to respond to DNS queries on an alternative domain Consul versions 1.5.2+ can be configured to respond to DNS queries on an alternative domain
through the [`alt_domain`](/docs/agent/options#alt_domain) agent configuration through the [`alt_domain`](/docs/agent/config/config-files#alt_domain) agent configuration
option. As of Consul versions 1.11.0+, Consul's DNS response will use the same domain as was used in the query; option. As of Consul versions 1.11.0+, Consul's DNS response will use the same domain as was used in the query;
in prior versions, the response may use the primary [`domain`](/docs/agent/options#domain) no matter which in prior versions, the response may use the primary [`domain`](/docs/agent/config/config-files#domain) no matter which
domain was used in the query. domain was used in the query.
In the following example, the `alt_domain` parameter is set to `test-domain`: In the following example, the `alt_domain` parameter is set to `test-domain`:
@ -447,9 +447,8 @@ machine.node.dc1.test-domain. 0 IN A 127.0.0.1
machine.node.dc1.test-domain. 0 IN TXT "consul-network-segment=" machine.node.dc1.test-domain. 0 IN TXT "consul-network-segment="
``` ```
-> **PTR queries:** Responses to PTR queries (`<ip>.in-addr.arpa.`) will always use the -> **PTR queries:** Responses to PTR queries (`<ip>.in-addr.arpa.`) always use the
[primary domain](/docs/agent/options#domain) (not the alternative domain), [primary domain](/docs/agent/config/config-files#domain) and not the alternative domain. This is because the query cannot specify a domain.
as there is no way for the query to specify a domain.
## Caching ## Caching
@ -463,8 +462,8 @@ for [DNS caching](https://learn.hashicorp.com/tutorials/consul/dns-caching).
By default, Consul DNS queries will return a node's local address, even when By default, Consul DNS queries will return a node's local address, even when
being queried from a remote datacenter. If you need to use a different address being queried from a remote datacenter. If you need to use a different address
to reach a node from outside its datacenter, you can configure this behavior to reach a node from outside its datacenter, you can configure this behavior
using the [`advertise-wan`](/docs/agent/options#_advertise-wan) and using the [`advertise-wan`](/docs/agent/config/cli-flags#_advertise-wan) and
[`translate_wan_addrs`](/docs/agent/options#translate_wan_addrs) configuration [`translate_wan_addrs`](/docs/agent/config/config-files#translate_wan_addrs) configuration
options. options.
## Namespaced/Partitioned Services <EnterpriseAlert inline /> ## Namespaced/Partitioned Services <EnterpriseAlert inline />
@ -480,7 +479,7 @@ services from other namespaces or partitions the following form can be used:
This is the canonical name of a Consul Enterprise service. Currently all parts must be This is the canonical name of a Consul Enterprise service. Currently all parts must be
present - in a future version (once the present - in a future version (once the
[`prefer_namespace` configuration](/docs/agent/options#dns_prefer_namespace) has been [`prefer_namespace` configuration](/docs/agent/config/config-files#dns_prefer_namespace) has been
deprecated), the namespace, partition and datacenter components will become optional deprecated), the namespace, partition and datacenter components will become optional
and may be individually omitted to default to the `default` namespace, local partition and may be individually omitted to default to the `default` namespace, local partition
or local datacenter respectively. or local datacenter respectively.
@ -494,7 +493,7 @@ are enabled, you must first create ACL tokens with the necessary policies.
Consul agents resolve DNS requests using one of the preconfigured tokens below, Consul agents resolve DNS requests using one of the preconfigured tokens below,
listed in order of precedence: listed in order of precedence:
1. The agent's [`default` token](/docs/agent/options#acl_tokens_default). 1. The agent's [`default` token](/docs/agent/config/config-files#acl_tokens_default).
2. The built-in [`anonymous` token](/docs/security/acl/acl-system#builtin-tokens). 2. The built-in [`anonymous` token](/docs/security/acl/acl-system#builtin-tokens).
Because the anonymous token is used when any request is made to Consul without Because the anonymous token is used when any request is made to Consul without
explicitly specifying a token, production deployments should not apply policies explicitly specifying a token, production deployments should not apply policies

View File

@ -39,7 +39,7 @@ privileges on one key for developers to update the value related to their
application. application.
The datastore itself is located on the Consul servers in the [data The datastore itself is located on the Consul servers in the [data
directory](/docs/agent/options#_data_dir). To ensure data is not lost in directory](/docs/agent/config/cli-flags#_data_dir). To ensure data is not lost in
the event of a complete outage, use the [`consul snapshot`](/commands/snapshot/restore) feature to backup the data. the event of a complete outage, use the [`consul snapshot`](/commands/snapshot/restore) feature to backup the data.
## Using Consul KV ## Using Consul KV
@ -48,7 +48,7 @@ Objects are opaque to Consul, meaning there are no restrictions on the type of
object stored in a key/value entry. The main restriction on an object is size - object stored in a key/value entry. The main restriction on an object is size -
the maximum is 512 KB. Due to the maximum object size and main use cases, you the maximum is 512 KB. Due to the maximum object size and main use cases, you
should not need extra storage; the general [sizing should not need extra storage; the general [sizing
recommendations](/docs/agent/options#kv_max_value_size) recommendations](/docs/agent/config/config-files#kv_max_value_size)
are usually sufficient. are usually sufficient.
Keys, like objects are not restricted by type and can include any character. Keys, like objects are not restricted by type and can include any character.

View File

@ -20,7 +20,7 @@ Watches are implemented using blocking queries in the [HTTP API](/api).
Agents automatically make the proper API calls to watch for changes Agents automatically make the proper API calls to watch for changes
and inform a handler when the data view has updated. and inform a handler when the data view has updated.
Watches can be configured as part of the [agent's configuration](/docs/agent/options#watches), Watches can be configured as part of the [agent's configuration](/docs/agent/config/config-files#watches),
causing them to run once the agent is initialized. Reloading the agent configuration causing them to run once the agent is initialized. Reloading the agent configuration
allows for adding or removing watches dynamically. allows for adding or removing watches dynamically.

View File

@ -24,15 +24,14 @@ greater insight into Consul access and usage patterns.
For more experience leveraging Consul's audit logging functionality, explore our For more experience leveraging Consul's audit logging functionality, explore our
HashiCorp Learn tutorial [Capture Consul Events with Audit Logging](https://learn.hashicorp.com/tutorials/consul/audit-logging). HashiCorp Learn tutorial [Capture Consul Events with Audit Logging](https://learn.hashicorp.com/tutorials/consul/audit-logging).
For detailed configuration information on configuring the Consul Enterprise's audit For detailed configuration information on configuring the Consul Enterprise's audit logging, review the Consul [Audit Log](/docs/agent/config/config-files#audit)
logging, review the Consul [Audit Log](/docs/agent/options#audit)
documentation. documentation.
## Example Configuration ## Example Configuration
Audit logging must be enabled on every agent in order to accurately capture all Audit logging must be enabled on every agent in order to accurately capture all
operations performed through the HTTP API. To enable logging, add operations performed through the HTTP API. To enable logging, add
the [`audit`](/docs/agent/options#audit) stanza to the agent's configuration. the [`audit`](/docs/agent/config/config-files#audit) stanza to the agent's configuration.
-> **Note**: Consul only logs operations which are initiated via the HTTP API. -> **Note**: Consul only logs operations which are initiated via the HTTP API.
The audit log does not record operations that take place over the internal RPC The audit log does not record operations that take place over the internal RPC

View File

@ -36,7 +36,7 @@ When using these binaries no further action is necessary to configure the licens
### Binaries Without Built In Licenses ### Binaries Without Built In Licenses
For Consul Enterprise 1.10.0 or greater, binaries that do not include built in licenses a license must be available at the time the agent starts. For Consul Enterprise 1.10.0 or greater, binaries that do not include built in licenses a license must be available at the time the agent starts.
For server agents this means that they must either have the [`license_path`](/docs/agent/options#license_path) For server agents this means that they must either have the [`license_path`](/docs/agent/config/config-files#license_path)
configuration set or have a license configured in the servers environment with the `CONSUL_LICENSE` or configuration set or have a license configured in the servers environment with the `CONSUL_LICENSE` or
`CONSUL_LICENSE_PATH` environment variables. Both the configuration item and the `CONSUL_LICENSE_PATH` `CONSUL_LICENSE_PATH` environment variables. Both the configuration item and the `CONSUL_LICENSE_PATH`
environment variable point to a file containing the license whereas the `CONSUL_LICENSE` environment environment variable point to a file containing the license whereas the `CONSUL_LICENSE` environment
@ -55,9 +55,9 @@ to retrieve the license automatically under specific circumstances.
When a client agent starts without a license in its configuration or environment, it will try to retrieve the When a client agent starts without a license in its configuration or environment, it will try to retrieve the
license from the servers via RPCs. That RPC always requires a valid non-anonymous ACL token to authorize the license from the servers via RPCs. That RPC always requires a valid non-anonymous ACL token to authorize the
request but the token doesn't need any particular permissions. As the license is required before the client request but the token doesn't need any particular permissions. As the license is required before the client
actually joins the cluster, where to make those RPC requests to is inferred from the [`start_join`](/docs/agent/options#start_join) actually joins the cluster, where to make those RPC requests to is inferred from the [`start_join`](/docs/agent/config/config-files#start_join)
or [`retry_join`](/docs/agent/options#retry_join) configurations. If those are both unset or no or [`retry_join`](/docs/agent/config/config-files#retry_join) configurations. If those are both unset or no
[`agent` token](/docs/agent/options#acl_tokens_agent) is set then the client agent will immediately shut itself down. [`agent` token](/docs/agent/config/config-files#acl_tokens_agent) is set then the client agent will immediately shut itself down.
If all preliminary checks pass the client agent will attempt to reach out to any server on its RPC port to If all preliminary checks pass the client agent will attempt to reach out to any server on its RPC port to
request the license. These requests will be retried for up to 5 minutes and if it is unable to retrieve a request the license. These requests will be retried for up to 5 minutes and if it is unable to retrieve a

View File

@ -15,7 +15,7 @@ description: |-
</EnterpriseAlert> </EnterpriseAlert>
Consul requires full connectivity between all agents (servers and clients) in a Consul requires full connectivity between all agents (servers and clients) in a
[datacenter](/docs/agent/options#_datacenter) within a given [datacenter](/docs/agent/config/cli-flags#_datacenter) within a given
LAN gossip pool. By default, all Consul agents will be a part of one shared Serf LAN LAN gossip pool. By default, all Consul agents will be a part of one shared Serf LAN
gossip pool known as the `<default>` network segment, thus requiring full mesh gossip pool known as the `<default>` network segment, thus requiring full mesh
connectivity within the datacenter. connectivity within the datacenter.
@ -46,7 +46,7 @@ Consul networking models and their capabilities.
**Cluster:** A set of Consul servers forming a Raft quorum along with a **Cluster:** A set of Consul servers forming a Raft quorum along with a
collection of Consul clients, all set to the same collection of Consul clients, all set to the same
[datacenter](/docs/agent/options#_datacenter), and joined together to form [datacenter](/docs/agent/config/cli-flags#_datacenter), and joined together to form
what we will call a "local cluster". Consul clients discover the Consul servers what we will call a "local cluster". Consul clients discover the Consul servers
in their local cluster through the gossip mechanism and make RPC requests to in their local cluster through the gossip mechanism and make RPC requests to
them. LAN Gossip (OSS) is an open intra-cluster networking model, and Network them. LAN Gossip (OSS) is an open intra-cluster networking model, and Network
@ -72,7 +72,7 @@ group of agents to only connect with the agents in its segment.
Server agents are members of all segments. The datacenter includes a `<default>` Server agents are members of all segments. The datacenter includes a `<default>`
segment, as well as additional segments defined in the segment, as well as additional segments defined in the
[`segments`](/docs/agent/options#segments) server agent configuration option. [`segments`](/docs/agent/config/config-files#segments) server agent configuration option.
Each additional segment is defined by: Each additional segment is defined by:
- a non-empty name - a non-empty name
@ -129,19 +129,19 @@ segments = [
</CodeTabs> </CodeTabs>
The server [agent configuration](/docs/agent/options) options relevant to network The server [agent configuration](/docs/agent/config/config-files) options relevant to network
segments are: segments are:
- [`ports.serf_lan`](/docs/agent/options#serf_lan_port): The Serf LAN port on this server - [`ports.serf_lan`](/docs/agent/config/config-files#serf_lan_port): The Serf LAN port on this server
for the `<default>` network segment's gossip pool. for the `<default>` network segment's gossip pool.
- [`segments`](/docs/agent/options#segments): A list of user-defined network segments - [`segments`](/docs/agent/config/config-files#segments): A list of user-defined network segments
on this server, including their names and Serf LAN ports. on this server, including their names and Serf LAN ports.
## Client Configuration ## Client Configuration
Each client agent can only be a member of one segment at a time. This will be the Each client agent can only be a member of one segment at a time. This will be the
`<default>` segment unless otherwise specified in the agent's `<default>` segment unless otherwise specified in the agent's
[`segment`](/docs/agent/options#_segment) agent configuration option. [`segment`](/docs/agent/config/cli-flags#_segment) agent configuration option.
### Join a Client to a Segment ((#join_a_client_to_a_segment)) ### Join a Client to a Segment ((#join_a_client_to_a_segment))
@ -154,14 +154,14 @@ configured segment.
Clients A and B specify the same segment S. Client B is already joined to the segment S Clients A and B specify the same segment S. Client B is already joined to the segment S
LAN gossip pool. Client A wants to join via Client B. In order to do so, Client A LAN gossip pool. Client A wants to join via Client B. In order to do so, Client A
must connect to Client B's configured [Serf LAN port](/docs/agent/options#serf_lan_port). must connect to Client B's configured [Serf LAN port](/docs/agent/config/config-files#serf_lan_port).
</Tab> </Tab>
<Tab heading="Join via a server"> <Tab heading="Join via a server">
Client A specifies segment S and wants to join the segment S gossip pool via Server 1. Client A specifies segment S and wants to join the segment S gossip pool via Server 1.
In order to do so, Client A must connect to Server 1's configured [Serf LAN port In order to do so, Client A must connect to Server 1's configured [Serf LAN port
for segment S](/docs/agent/options#segment_port). for segment S](/docs/agent/config/config-files#segment_port).
</Tab> </Tab>
</Tabs> </Tabs>
@ -171,12 +171,12 @@ of precedence:
1. **Specify an explicit port in the join address**. This can be done at the CLI when starting 1. **Specify an explicit port in the join address**. This can be done at the CLI when starting
the agent (e.g., `consul agent -retry-join "client-b-address:8303"`), or in the agent's the agent (e.g., `consul agent -retry-join "client-b-address:8303"`), or in the agent's
configuration using the [retry-join option](/docs/agent/options#retry_join). This method configuration using the [retry-join option](/docs/agent/config/config-files#retry_join). This method
is not compatible with [cloud auto-join](/docs/install/cloud-auto-join#auto-join-with-network-segments). is not compatible with [cloud auto-join](/docs/install/cloud-auto-join#auto-join-with-network-segments).
2. **Specify an alternate Serf LAN port for the agent**. This can be done at the CLI when starting 2. **Specify an alternate Serf LAN port for the agent**. This can be done at the CLI when starting
the agent (e.g., `consul agent -retry-join "client-b-address" -serf-lan-port 8303`), or in the agent (e.g., `consul agent -retry-join "client-b-address" -serf-lan-port 8303`), or in
the agent's configuration using the [serf_lan](/docs/agent/options#serf_lan_port) option. the agent's configuration using the [serf_lan](/docs/agent/config/config-files#serf_lan_port) option.
When a Serf LAN port is not explicitly specified in the join address, the agent will attempt to When a Serf LAN port is not explicitly specified in the join address, the agent will attempt to
join the target host at the Serf LAN port specified in CLI or agent configuration. join the target host at the Serf LAN port specified in CLI or agent configuration.
@ -221,15 +221,15 @@ ports = {
</CodeTabs> </CodeTabs>
The client [agent configuration](/docs/agent/options) options relevant to network The client [agent configuration](/docs/agent/config/config-files) options relevant to network
segments are: segments are:
- [`segment`](/docs/agent/options#segment-2): The name of the network segment this - [`segment`](/docs/agent/config/config-files#segment-2): The name of the network segment this
client agent belongs to. client agent belongs to.
- [`ports.serf_lan`](/docs/agent/options#serf_lan_port): - [`ports.serf_lan`](/docs/agent/config/config-files#serf_lan_port):
Serf LAN port for the above segment on this client. This is not required Serf LAN port for the above segment on this client. This is not required
to match the configured Serf LAN port for other agents on this segment. to match the configured Serf LAN port for other agents on this segment.
- [`retry_join`](/docs/agent/options#retry_join) or - [`retry_join`](/docs/agent/config/config-files#retry_join) or
[`start_join`](/docs/agent/options#start_join): A list of agent addresses to join [`start_join`](/docs/agent/config/config-files#start_join): A list of agent addresses to join
when starting. Ensure the correct Serf LAN port for this segment is used when joining when starting. Ensure the correct Serf LAN port for this segment is used when joining
the LAN gossip pool using one of the [available configuration methods](#join_a_client_to_a_segment). the LAN gossip pool using one of the [available configuration methods](#join_a_client_to_a_segment).

View File

@ -19,6 +19,6 @@ to include voting servers and read replicas. Read replicas still receive data fr
however, they do not take part in quorum election operations. Expanding your Consul cluster in this way can scale however, they do not take part in quorum election operations. Expanding your Consul cluster in this way can scale
reads without impacting write latency. reads without impacting write latency.
For more details, review the [Consul server configuration](/docs/agent/options) For more details, review the [Consul server configuration](/docs/agent/config)
documentation and the [-read-replica](/docs/agent/options#_read_replica) documentation and the [-read-replica](/docs/agent/config/cli-flags#_read_replica)
configuration flag. configuration flag.

View File

@ -16,5 +16,5 @@ and a link to our guides that walk you through common tasks. Note that the
guides are located on the HashiCorp Learn site. guides are located on the HashiCorp Learn site.
- Follow [the documentation](/docs/install) to install Consul either with a precompiled binary or from source. - Follow [the documentation](/docs/install) to install Consul either with a precompiled binary or from source.
- Read more about the [configuration options](/docs/agent/options) for Consul servers and clients. - Read more about the [configuration options](/docs/agent/config) for Consul servers and clients.
- Get started using Consul with our step-by-step guides at [HashiCorp Learn](https://learn.hashicorp.com/consul). - Get started using Consul with our step-by-step guides at [HashiCorp Learn](https://learn.hashicorp.com/consul).

View File

@ -30,16 +30,16 @@ as data loss is inevitable in a failure scenario. Please refer to the
Manual bootstrapping with `-bootstrap` is not recommended in Manual bootstrapping with `-bootstrap` is not recommended in
newer versions of Consul (0.5 and newer) as it is more error-prone. newer versions of Consul (0.5 and newer) as it is more error-prone.
Instead you should use automatic bootstrapping Instead you should use automatic bootstrapping
with [`-bootstrap-expect`](/docs/agent/options#_bootstrap_expect). with [`-bootstrap-expect`](/docs/agent/config/cli-flags#_bootstrap_expect).
## Bootstrapping the Servers ## Bootstrapping the Servers
The recommended way to bootstrap the servers is to use the [`-bootstrap-expect`](/docs/agent/options#_bootstrap_expect) The recommended way to bootstrap the servers is to use the [`-bootstrap-expect`](/docs/agent/config/cli-flags#_bootstrap_expect)
configuration option. This option informs Consul of the expected number of configuration option. This option informs Consul of the expected number of
server nodes and automatically bootstraps when that many servers are available. To prevent server nodes and automatically bootstraps when that many servers are available. To prevent
inconsistencies and split-brain (clusters where multiple servers consider inconsistencies and split-brain (clusters where multiple servers consider
themselves leader) situations, you should either specify the same value for themselves leader) situations, you should either specify the same value for
[`-bootstrap-expect`](/docs/agent/options#_bootstrap_expect) [`-bootstrap-expect`](/docs/agent/config/cli-flags#_bootstrap_expect)
or specify no value at all on all the servers. Only servers that specify a value will attempt to bootstrap the cluster. or specify no value at all on all the servers. Only servers that specify a value will attempt to bootstrap the cluster.
Suppose we are starting a three server cluster. We can start `Node A`, `Node B`, and `Node C` with each Suppose we are starting a three server cluster. We can start `Node A`, `Node B`, and `Node C` with each
@ -61,11 +61,11 @@ You can trigger leader election by joining the servers together, to create a clu
There are multiple options for joining the servers. Choose the method which best suits your environment and specific use case. There are multiple options for joining the servers. Choose the method which best suits your environment and specific use case.
- Specify a list of servers with - Specify a list of servers with
[-join](/docs/agent/options#_join) and [-join](/docs/agent/config/cli-flags#_join) and
[start_join](/docs/agent/options#start_join) [start_join](/docs/agent/config/config-files#start_join)
options. options.
- Specify a list of servers with [-retry-join](/docs/agent/options#_retry_join) option. - Specify a list of servers with [-retry-join](/docs/agent/config/cli-flags#_retry_join) option.
- Use automatic joining by tag for supported cloud environments with the [-retry-join](/docs/agent/options#_retry_join) option. - Use automatic joining by tag for supported cloud environments with the [-retry-join](/docs/agent/config/cli-flags#_retry_join) option.
All three methods can be set in the agent configuration file or All three methods can be set in the agent configuration file or
the command line flag. the command line flag.

View File

@ -69,7 +69,7 @@ to use port `8303` as its Serf LAN port prior to attempting to join the cluster.
<Tab heading="Agent configuration"> <Tab heading="Agent configuration">
The following example configuration overrides the default Serf LAN port using the The following example configuration overrides the default Serf LAN port using the
[`ports.serf_lan`](/docs/agent/options#serf_lan_port) configuration option. [`ports.serf_lan`](/docs/agent/config/config-files#serf_lan_port) configuration option.
<CodeBlockConfig filename="client-config.hcl"> <CodeBlockConfig filename="client-config.hcl">
@ -85,7 +85,7 @@ ports {
<Tab heading="Command-line flag"> <Tab heading="Command-line flag">
The following example overrides the default Serf LAN port using the The following example overrides the default Serf LAN port using the
[`-serf-lan-port`](/docs/agent/options#_serf_lan_port) command line flag. [`-serf-lan-port`](/docs/agent/config/cli-flags#_serf_lan_port) command line flag.
```shell ```shell
$ consul agent -serf-lan-port=8303 -retry-join "provider=..." $ consul agent -serf-lan-port=8303 -retry-join "provider=..."

View File

@ -23,7 +23,7 @@ storing the cluster state. The client nodes are mostly stateless and rely on the
server nodes, so they can be started easily. server nodes, so they can be started easily.
Manual bootstrapping requires that the first server that is deployed in a new Manual bootstrapping requires that the first server that is deployed in a new
datacenter provide the [`-bootstrap` configuration option](/docs/agent/options#_bootstrap). datacenter provide the [`-bootstrap` configuration option](/docs/agent/config/cli-flags#_bootstrap).
This option allows the server This option allows the server
to assert leadership of the cluster without agreement from any other server. to assert leadership of the cluster without agreement from any other server.
This is necessary because at this point, there are no other servers running in This is necessary because at this point, there are no other servers running in

View File

@ -18,7 +18,7 @@ reads work from a fully in-memory data store that is optimized for concurrent ac
## Minimum Server Requirements ((#minimum)) ## Minimum Server Requirements ((#minimum))
In Consul 0.7, the default server [performance parameters](/docs/agent/options#performance) In Consul 0.7, the default server [performance parameters](/docs/agent/config/config-files#performance)
were tuned to allow Consul to run reliably (but relatively slowly) on a server cluster of three were tuned to allow Consul to run reliably (but relatively slowly) on a server cluster of three
[AWS t2.micro](https://aws.amazon.com/ec2/instance-types/) instances. These thresholds [AWS t2.micro](https://aws.amazon.com/ec2/instance-types/) instances. These thresholds
were determined empirically using a leader instance that was under sufficient read, write, were determined empirically using a leader instance that was under sufficient read, write,
@ -43,7 +43,7 @@ The default performance configuration is equivalent to this:
## Production Server Requirements ((#production)) ## Production Server Requirements ((#production))
When running Consul 0.7 and later in production, it is recommended to configure the server When running Consul 0.7 and later in production, it is recommended to configure the server
[performance parameters](/docs/agent/options#performance) back to Consul's original [performance parameters](/docs/agent/config/config-files#performance) back to Consul's original
high-performance settings. This will let Consul servers detect a failed leader and complete high-performance settings. This will let Consul servers detect a failed leader and complete
leader elections much more quickly than the default configuration which extends key Raft leader elections much more quickly than the default configuration which extends key Raft
timeouts by a factor of 5, so it can be quite slow during these events. timeouts by a factor of 5, so it can be quite slow during these events.
@ -103,14 +103,14 @@ Here are some general recommendations:
issues between the servers or insufficient CPU resources. Users in cloud environments issues between the servers or insufficient CPU resources. Users in cloud environments
often bump their servers up to the next instance class with improved networking often bump their servers up to the next instance class with improved networking
and CPU until leader elections stabilize, and in Consul 0.7 or later the [performance and CPU until leader elections stabilize, and in Consul 0.7 or later the [performance
parameters](/docs/agent/options#performance) configuration now gives you tools parameters](/docs/agent/config/config-files#performance) configuration now gives you tools
to trade off performance instead of upsizing servers. You can use the [`consul.raft.leader.lastContact` to trade off performance instead of upsizing servers. You can use the [`consul.raft.leader.lastContact`
telemetry](/docs/agent/telemetry#leadership-changes) to observe how the Raft timing is telemetry](/docs/agent/telemetry#leadership-changes) to observe how the Raft timing is
performing and guide the decision to de-tune Raft performance or add more powerful performing and guide the decision to de-tune Raft performance or add more powerful
servers. servers.
- For DNS-heavy workloads, configuring all Consul agents in a cluster with the - For DNS-heavy workloads, configuring all Consul agents in a cluster with the
[`allow_stale`](/docs/agent/options#allow_stale) configuration option will allow reads to [`allow_stale`](/docs/agent/config/config-files#allow_stale) configuration option will allow reads to
scale across all Consul servers, not just the leader. Consul 0.7 and later enables stale reads scale across all Consul servers, not just the leader. Consul 0.7 and later enables stale reads
for DNS by default. See [Stale Reads](https://learn.hashicorp.com/tutorials/consul/dns-caching#stale-reads) in the for DNS by default. See [Stale Reads](https://learn.hashicorp.com/tutorials/consul/dns-caching#stale-reads) in the
[DNS Caching](https://learn.hashicorp.com/tutorials/consul/dns-caching) guide for more details. It's also good to set [DNS Caching](https://learn.hashicorp.com/tutorials/consul/dns-caching) guide for more details. It's also good to set
@ -121,7 +121,7 @@ Here are some general recommendations:
[stale consistency mode](/api/features/consistency#stale) available to allow reads to scale [stale consistency mode](/api/features/consistency#stale) available to allow reads to scale
across all the servers and not just be forwarded to the leader. across all the servers and not just be forwarded to the leader.
- In Consul 0.9.3 and later, a new [`limits`](/docs/agent/options#limits) configuration is - In Consul 0.9.3 and later, a new [`limits`](/docs/agent/config/config-files#limits) configuration is
available on Consul clients to limit the RPC request rate they are allowed to make against the available on Consul clients to limit the RPC request rate they are allowed to make against the
Consul servers. After hitting the limit, requests will start to return rate limit errors until Consul servers. After hitting the limit, requests will start to return rate limit errors until
time has passed and more requests are allowed. Configuring this across the cluster can help with time has passed and more requests are allowed. Configuring this across the cluster can help with
@ -156,11 +156,11 @@ For **write-heavy** workloads, the total RAM available for overhead must approxi
RAM NEEDED = number of keys * average key size * 2-3x RAM NEEDED = number of keys * average key size * 2-3x
``` ```
Since writes must be synced to disk (persistent storage) on a quorum of servers before they are committed, deploying a disk with high write throughput (or an SSD) will enhance performance on the write side. ([Documentation](/docs/agent/options#_data_dir)) Since writes must be synced to disk (persistent storage) on a quorum of servers before they are committed, deploying a disk with high write throughput (or an SSD) will enhance performance on the write side. ([Documentation](/docs/agent/config/cli-flags#_data_dir))
For a **read-heavy** workload, configure all Consul server agents with the `allow_stale` DNS option, or query the API with the `stale` [consistency mode](/api/features/consistency). By default, all queries made to the server are RPC forwarded to and serviced by the leader. By enabling stale reads, any server will respond to any query, thereby reducing overhead on the leader. Typically, the stale response is `100ms` or less from consistent mode but it drastically improves performance and reduces latency under high load. For a **read-heavy** workload, configure all Consul server agents with the `allow_stale` DNS option, or query the API with the `stale` [consistency mode](/api/features/consistency). By default, all queries made to the server are RPC forwarded to and serviced by the leader. By enabling stale reads, any server will respond to any query, thereby reducing overhead on the leader. Typically, the stale response is `100ms` or less from consistent mode but it drastically improves performance and reduces latency under high load.
If the leader server is out of memory or the disk is full, the server eventually stops responding, loses its election and cannot move past its last commit time. However, by configuring `max_stale` and setting it to a large value, Consul will continue to respond to queries during such outage scenarios. ([max_stale documentation](/docs/agent/options#max_stale)). If the leader server is out of memory or the disk is full, the server eventually stops responding, loses its election and cannot move past its last commit time. However, by configuring `max_stale` and setting it to a large value, Consul will continue to respond to queries during such outage scenarios. ([max_stale documentation](/docs/agent/config/config-files#max_stale)).
It should be noted that `stale` is not appropriate for coordination where strong consistency is important (i.e. locking or application leader election). For critical cases, the optional `consistent` API query mode is required for true linearizability; the trade off is that this turns a read into a full quorum write so requires more resources and takes longer. It should be noted that `stale` is not appropriate for coordination where strong consistency is important (i.e. locking or application leader election). For critical cases, the optional `consistent` API query mode is required for true linearizability; the trade off is that this turns a read into a full quorum write so requires more resources and takes longer.
@ -168,7 +168,7 @@ It should be noted that `stale` is not appropriate for coordination where strong
Consuls agents use network sockets for communicating with the other nodes (gossip) and with the server agent. In addition, file descriptors are also opened for watch handlers, health checks, and log files. For a **write heavy** cluster, the `ulimit` size must be increased from the default value (`1024`) to prevent the leader from running out of file descriptors. Consuls agents use network sockets for communicating with the other nodes (gossip) and with the server agent. In addition, file descriptors are also opened for watch handlers, health checks, and log files. For a **write heavy** cluster, the `ulimit` size must be increased from the default value (`1024`) to prevent the leader from running out of file descriptors.
To prevent any CPU spikes from a misconfigured client, RPC requests to the server should be [rate limited](/docs/agent/options#limits) To prevent any CPU spikes from a misconfigured client, RPC requests to the server should be [rate limited](/docs/agent/config/config-files#limits)
~> **NOTE** Rate limiting is configured on the client agent only. ~> **NOTE** Rate limiting is configured on the client agent only.
@ -191,8 +191,8 @@ Smearing requests over 30s is sufficient to bring RPC load to a reasonable level
in all but the very largest clusters, but the extra CPU load from cryptographic in all but the very largest clusters, but the extra CPU load from cryptographic
operations could impact the server's normal work. To limit that, Consul since operations could impact the server's normal work. To limit that, Consul since
1.4.1 exposes two ways to limit the impact Certificate signing has on the leader 1.4.1 exposes two ways to limit the impact Certificate signing has on the leader
[`csr_max_per_second`](/docs/agent/options#ca_csr_max_per_second) and [`csr_max_per_second`](/docs/agent/config/config-files#ca_csr_max_per_second) and
[`csr_max_concurrent`](/docs/agent/options#ca_csr_max_concurrent). [`csr_max_concurrent`](/docs/agent/config/config-files#ca_csr_max_concurrent).
By default we set a limit of 50 per second which is reasonable on modest By default we set a limit of 50 per second which is reasonable on modest
hardware but may be too low and impact rotation times if more than 1500 service hardware but may be too low and impact rotation times if more than 1500 service

View File

@ -55,4 +55,4 @@ the Serf WAN port (TCP/UDP) to be listening on both WAN and LAN interfaces. See
**Server RPC** This is used by servers to handle incoming **Server RPC** This is used by servers to handle incoming
requests from other agents. requests from other agents.
Note, the default ports can be changed in the [agent configuration](/docs/agent/options#ports). Note, the default ports can be changed in the [agent configuration](/docs/agent/config/config-files#ports).

View File

@ -200,5 +200,5 @@ To update any settings under these keys, you must use Consul's [Update CA Config
To renew the Vault token, use the [`vault token renew`](https://www.vaultproject.io/docs/commands/token/renew) CLI command To renew the Vault token, use the [`vault token renew`](https://www.vaultproject.io/docs/commands/token/renew) CLI command
or API. or API.
[`ca_config`]: /docs/agent/options#connect_ca_config [`ca_config`]: /docs/agent/config/config-files#connect_ca_config
[`ca_provider`]: /docs/agent/options#connect_ca_provider [`ca_provider`]: /docs/agent/config/config-files#connect_ca_provider

View File

@ -58,7 +58,7 @@ Use these links to navigate to a particular top-level stanza.
the prefix will be `<helm release name>-consul`. the prefix will be `<helm release name>-consul`.
- `domain` ((#v-global-domain)) (`string: consul`) - The domain Consul will answer DNS queries for - `domain` ((#v-global-domain)) (`string: consul`) - The domain Consul will answer DNS queries for
(see `-domain` (https://consul.io/docs/agent/options#_domain)) and the domain services synced from (see `-domain` (https://consul.io/docs/agent/config/cli-flags#_domain)) and the domain services synced from
Consul into Kubernetes will have, e.g. `service-name.service.consul`. Consul into Kubernetes will have, e.g. `service-name.service.consul`.
- `adminPartitions` ((#v-global-adminpartitions)) - <EnterpriseAlert inline /> Enabling `adminPartitions` allows creation of Admin Partitions in Kubernetes clusters. - `adminPartitions` ((#v-global-adminpartitions)) - <EnterpriseAlert inline /> Enabling `adminPartitions` allows creation of Admin Partitions in Kubernetes clusters.
@ -240,7 +240,7 @@ Use these links to navigate to a particular top-level stanza.
``` ```
- `gossipEncryption` ((#v-global-gossipencryption)) - Configures Consul's gossip encryption key. - `gossipEncryption` ((#v-global-gossipencryption)) - Configures Consul's gossip encryption key.
(see `-encrypt` (https://consul.io/docs/agent/options#_encrypt)). (see `-encrypt` (https://consul.io/docs/agent/config/cli-flags#_encrypt)).
By default, gossip encryption is not enabled. The gossip encryption key may be set automatically or manually. By default, gossip encryption is not enabled. The gossip encryption key may be set automatically or manually.
The recommended method is to automatically generate the key. The recommended method is to automatically generate the key.
To automatically generate and set a gossip encryption key, set autoGenerate to true. To automatically generate and set a gossip encryption key, set autoGenerate to true.
@ -271,7 +271,7 @@ Use these links to navigate to a particular top-level stanza.
- `recursors` ((#v-global-recursors)) (`array<string>: []`) - A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries. - `recursors` ((#v-global-recursors)) (`array<string>: []`) - A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries.
These values are given as `-recursor` flags to Consul servers and clients. These values are given as `-recursor` flags to Consul servers and clients.
See https://www.consul.io/docs/agent/options#_recursor for more details. See https://www.consul.io/docs/agent/config/cli-flags#_recursor for more details.
If this is an empty array (the default), then Consul DNS will only resolve queries for the Consul top level domain (by default `.consul`). If this is an empty array (the default), then Consul DNS will only resolve queries for the Consul top level domain (by default `.consul`).
- `tls` ((#v-global-tls)) - Enables TLS (https://learn.hashicorp.com/tutorials/consul/tls-encryption-secure) - `tls` ((#v-global-tls)) - Enables TLS (https://learn.hashicorp.com/tutorials/consul/tls-encryption-secure)
@ -616,7 +616,7 @@ Use these links to navigate to a particular top-level stanza.
--set 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation --set 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation
command because of a limitation in the Helm templating language. command because of a limitation in the Helm templating language.
- `extraConfig` ((#v-server-extraconfig)) (`string: {}`) - A raw string of extra JSON configuration (https://consul.io/docs/agent/options) for Consul - `extraConfig` ((#v-server-extraconfig)) (`string: {}`) - A raw string of extra JSON configuration (https://consul.io/docs/agent/config) for Consul
servers. This will be saved as-is into a ConfigMap that is read by the Consul servers. This will be saved as-is into a ConfigMap that is read by the Consul
server agents. This can be used to add additional configuration that server agents. This can be used to add additional configuration that
isn't directly exposed by the chart. isn't directly exposed by the chart.
@ -817,7 +817,7 @@ Use these links to navigate to a particular top-level stanza.
- `image` ((#v-client-image)) (`string: null`) - The name of the Docker image (including any tag) for the containers - `image` ((#v-client-image)) (`string: null`) - The name of the Docker image (including any tag) for the containers
running Consul client agents. running Consul client agents.
- `join` ((#v-client-join)) (`array<string>: null`) - A list of valid `-retry-join` values (https://consul.io/docs/agent/options#retry-join). - `join` ((#v-client-join)) (`array<string>: null`) - A list of valid `-retry-join` values (https://consul.io/docs/agent/config/config-files#retry-join).
If this is `null` (default), then the clients will attempt to automatically If this is `null` (default), then the clients will attempt to automatically
join the server cluster running within Kubernetes. join the server cluster running within Kubernetes.
This means that with `server.enabled` set to true, clients will automatically This means that with `server.enabled` set to true, clients will automatically
@ -838,7 +838,7 @@ Use these links to navigate to a particular top-level stanza.
required for Connect. required for Connect.
- `nodeMeta` ((#v-client-nodemeta)) - nodeMeta specifies an arbitrary metadata key/value pair to associate with the node - `nodeMeta` ((#v-client-nodemeta)) - nodeMeta specifies an arbitrary metadata key/value pair to associate with the node
(see https://www.consul.io/docs/agent/options.html#_node_meta) (see https://www.consul.io/docs/agent/config/cli-flags#_node_meta)
- `pod-name` ((#v-client-nodemeta-pod-name)) (`string: ${HOSTNAME}`) - `pod-name` ((#v-client-nodemeta-pod-name)) (`string: ${HOSTNAME}`)
@ -882,7 +882,7 @@ Use these links to navigate to a particular top-level stanza.
- `tlsInit` ((#v-client-containersecuritycontext-tlsinit)) (`map`) - The tls-init initContainer - `tlsInit` ((#v-client-containersecuritycontext-tlsinit)) (`map`) - The tls-init initContainer
- `extraConfig` ((#v-client-extraconfig)) (`string: {}`) - A raw string of extra JSON configuration (https://consul.io/docs/agent/options) for Consul - `extraConfig` ((#v-client-extraconfig)) (`string: {}`) - A raw string of extra JSON configuration (https://consul.io/docs/agent/config) for Consul
clients. This will be saved as-is into a ConfigMap that is read by the Consul clients. This will be saved as-is into a ConfigMap that is read by the Consul
client agents. This can be used to add additional configuration that client agents. This can be used to add additional configuration that
isn't directly exposed by the chart. isn't directly exposed by the chart.
@ -1191,7 +1191,7 @@ Use these links to navigate to a particular top-level stanza.
will inherit from `global.metrics.enabled` value. will inherit from `global.metrics.enabled` value.
- `provider` ((#v-ui-metrics-provider)) (`string: prometheus`) - Provider for metrics. See - `provider` ((#v-ui-metrics-provider)) (`string: prometheus`) - Provider for metrics. See
https://www.consul.io/docs/agent/options#ui_config_metrics_provider https://www.consul.io/docs/agent/config/config-files#ui_config_metrics_provider
This value is only used if `ui.enabled` is set to true. This value is only used if `ui.enabled` is set to true.
- `baseURL` ((#v-ui-metrics-baseurl)) (`string: http://prometheus-server`) - baseURL is the URL of the prometheus server, usually the service URL. - `baseURL` ((#v-ui-metrics-baseurl)) (`string: http://prometheus-server`) - baseURL is the URL of the prometheus server, usually the service URL.

View File

@ -62,7 +62,7 @@ Kubernetes cluster.
The server agents are run as a **StatefulSet**, using persistent volume The server agents are run as a **StatefulSet**, using persistent volume
claims to store the server state. This also ensures that the claims to store the server state. This also ensures that the
[node ID](/docs/agent/options#_node_id) is persisted so that servers [node ID](/docs/agent/config/cli-flags#_node_id) is persisted so that servers
can be rescheduled onto new IP addresses without causing issues. The server agents can be rescheduled onto new IP addresses without causing issues. The server agents
are configured with are configured with
[anti-affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) [anti-affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)

View File

@ -6,26 +6,21 @@ description: Running Consul servers outside of Kubernetes
# Consul Servers Outside of Kubernetes # Consul Servers Outside of Kubernetes
If you have a Consul cluster already running, you can configure your This topic describes how to configure your Consul clients inside Kubernetes to join an existing cluster.
Consul clients inside Kubernetes to join this existing cluster.
The below `config.yaml` file shows how to configure the Helm chart to install ## Configuration Overview
Consul clients that will join an existing cluster.
The `global.enabled` value first disables all chart components by default In the following example `config.yaml` file, the Helm chart is configured to install Consul clients that will join an existing cluster. It includes the following parameters:
so that each component is opt-in. This allows us to _only_ setup the client
agents. We then opt-in to the client agents by setting `client.enabled` to
`true`.
Next, `client.exposeGossipPorts` can be set to `true` or `false` depending on if * The `global.enabled` parameter is set to `false`. This configuration disables all chart components by default so that each component must opt-in. As a result, only client agents will be set up when the configuraiton is applied.
you want the clients to be exposed on the Kubernetes internal node IPs (`true`) or
their pod IPs (`false`).
Finally, `client.join` is set to an array of valid * The `client.enabled` parameter is set to `true`. This configuration opts the client agents into the cluster.
[`-retry-join` values](/docs/agent/options#retry-join). In the
example above, a fake [cloud auto-join](/docs/install/cloud-auto-join) * The `client.exposeGossipPorts` parameter is set to `true` or `false`. Setting the parameter to `true` exposes the clients on the Kubernetes internal node IPs. Setting to `false` exposes the clients on their pod IPs.
value is specified. This should be set to resolve to the proper addresses of
your existing Consul cluster. * The `client.join` is set to an array of valid
[`-retry-join` values](/docs/agent/config/cli-flags#retry-join). The
following example includes a [cloud auto-join](/docs/agent/cloud-auto-join) value resolve to the proper addresses of the existing Consul cluster.
<CodeBlockConfig filename="config.yaml"> <CodeBlockConfig filename="config.yaml">

View File

@ -271,8 +271,8 @@ The automatically generated federation secret contains:
- **Consul server config** - This is a JSON snippet that must be used as part of the server config for secondary datacenters. - **Consul server config** - This is a JSON snippet that must be used as part of the server config for secondary datacenters.
It sets: It sets:
- [`primary_datacenter`](/docs/agent/options#primary_datacenter) to the name of the primary datacenter. - [`primary_datacenter`](/docs/agent/config/config-files#primary_datacenter) to the name of the primary datacenter.
- [`primary_gateways`](/docs/agent/options#primary_gateways) to an array of IPs or hostnames - [`primary_gateways`](/docs/agent/config/config-files#primary_gateways) to an array of IPs or hostnames
for the mesh gateways in the primary datacenter. These are the addresses that for the mesh gateways in the primary datacenter. These are the addresses that
Consul servers in secondary clusters will use to communicate with the primary Consul servers in secondary clusters will use to communicate with the primary
datacenter. datacenter.

View File

@ -91,7 +91,7 @@ The following sections detail how to export this data.
==> Saved dc1-client-consul-0-key.pem ==> Saved dc1-client-consul-0-key.pem
``` ```
Or use the [auto_encrypt](/docs/agent/options#auto_encrypt) feature. Or use the [auto_encrypt](/docs/agent/config/config-files#auto_encrypt) feature.
### Mesh Gateway Addresses ### Mesh Gateway Addresses

View File

@ -61,7 +61,7 @@ tls {
The `consul` block is used to configure CTS connection with a Consul agent to perform queries to the Consul Catalog and Consul KV pertaining to task execution. The `consul` block is used to configure CTS connection with a Consul agent to perform queries to the Consul Catalog and Consul KV pertaining to task execution.
-> **Note:** Use HTTP/2 to improve CTS performance when communicating with the local Consul process. [TLS/HTTPS](/docs/agent/options) must be configured for the local Consul with the [cert_file](/docs/agent/options#cert_file) and [key_file](/docs/agent/options#key_file) parameters set. For the CTS configuration, set `tls.enabled = true` and set the `address` parameter to the HTTPS URL, e.g., `address = example.consul.com:8501`. If using self-signed certificates for Consul, you will also need to set `tls.verify = false` or add the certificate to `ca_cert` or `ca_path`. -> **Note:** Use HTTP/2 to improve CTS performance when communicating with the local Consul process. [TLS/HTTPS](/docs/agent/config/config-files) must be configured for the local Consul with the [cert_file](/docs/agent/config/config-filess#cert_file) and [key_file](/docs/agent/config/config-files#key_file) parameters set. For the CTS configuration, set `tls.enabled = true` and set the `address` parameter to the HTTPS URL, e.g., `address = example.consul.com:8501`. If using self-signed certificates for Consul, you will also need to set `tls.verify = false` or add the certificate to `ca_cert` or `ca_path`.
To read more on suggestions for configuring the Consul agent, see [run an agent](/docs/nia/installation/requirements#run-an-agent). To read more on suggestions for configuring the Consul agent, see [run an agent](/docs/nia/installation/requirements#run-an-agent).
@ -80,7 +80,7 @@ consul {
- `enabled` - (bool) - `enabled` - (bool)
- `username` - (string) - `username` - (string)
- `password` - (string) - `password` - (string)
- `tls` - Configure TLS to use a secure client connection with Consul. Using HTTP/2 can solve issues related to hitting Consul's maximum connection limits, as well as improve efficiency when processing many blocking queries. This option is required for CTS when connecting to a [Consul agent with TLS verification enabled for HTTPS connections](/docs/agent/options#verify_incoming). - `tls` - Configure TLS to use a secure client connection with Consul. Using HTTP/2 can solve issues related to hitting Consul's maximum connection limits, as well as improve efficiency when processing many blocking queries. This option is required for CTS when connecting to a [Consul agent with TLS verification enabled for HTTPS connections](/docs/agent/config/config-files#verify_incoming).
- `enabled` - (bool) Enable TLS. Providing a value for any of the TLS options will enable this parameter implicitly. - `enabled` - (bool) Enable TLS. Providing a value for any of the TLS options will enable this parameter implicitly.
- `verify` - (bool: true) Enables TLS peer verification. The default is enabled, which will check the global certificate authority (CA) chain to make sure the certificates returned by Consul are valid. - `verify` - (bool: true) Enables TLS peer verification. The default is enabled, which will check the global certificate authority (CA) chain to make sure the certificates returned by Consul are valid.
- If Consul is using a self-signed certificate that you have not added to the global CA chain, you can set this certificate with `ca_cert` or `ca_path`. Alternatively, you can disable SSL verification by setting `verify` to false. However, disabling verification is a potential security vulnerability. - If Consul is using a self-signed certificate that you have not added to the global CA chain, you can set this certificate with `ca_cert` or `ca_path`. Alternatively, you can disable SSL verification by setting `verify` to false. However, disabling verification is a potential security vulnerability.
@ -98,7 +98,7 @@ consul {
- `max_idle_conns` - (int: 0) The maximum number of total idle connections across all hosts. The limit is disabled by default. - `max_idle_conns` - (int: 0) The maximum number of total idle connections across all hosts. The limit is disabled by default.
- `max_idle_conns_per_host` - (int: 100) The maximum number of idle connections per remote host. The majority of connections are established with one host, the Consul agent. - `max_idle_conns_per_host` - (int: 100) The maximum number of idle connections per remote host. The majority of connections are established with one host, the Consul agent.
- To achieve the shortest latency between a Consul service update to a task execution, configure `max_idle_conns_per_host` equal to or greater than the number of services in automation across all tasks. - To achieve the shortest latency between a Consul service update to a task execution, configure `max_idle_conns_per_host` equal to or greater than the number of services in automation across all tasks.
- This value should be lower than the configured [`http_max_conns_per_client`](/docs/agent/options#http_max_conns_per_client) for the Consul agent. If `max_idle_conns_per_host` and the number of services in automation is greater than the Consul agent limit, CTS may error due to connection limits (status code 429). You may increase the agent limit with caution. _Note: requests to the Consul agent made by Terraform subprocesses or any other process on the same host as CTS will contribute to the Consul agent connection limit._ - This value should be lower than the configured [`http_max_conns_per_client`](/docs/agent/config/config-files#http_max_conns_per_client) for the Consul agent. If `max_idle_conns_per_host` and the number of services in automation is greater than the Consul agent limit, CTS may error due to connection limits (status code 429). You may increase the agent limit with caution. _Note: requests to the Consul agent made by Terraform subprocesses or any other process on the same host as CTS will contribute to the Consul agent connection limit._
- `tls_handshake_timeout` - (string: "10s") amount of time to wait to complete the TLS handshake. - `tls_handshake_timeout` - (string: "10s") amount of time to wait to complete the TLS handshake.
## Service ## Service

View File

@ -35,7 +35,7 @@ The Consul agent must be running in order to dynamically update network devices.
When running a Consul agent with CTS in production, we suggest to keep a few considerations in mind. CTS uses [blocking queries](/api/features/blocking) to monitor task dependencies, like changes to registered services. This results in multiple long running TCP connections between CTS and the agent to poll changes for each dependency. Monitoring a high number of services may quickly hit the default Consul agent connection limits. When running a Consul agent with CTS in production, we suggest to keep a few considerations in mind. CTS uses [blocking queries](/api/features/blocking) to monitor task dependencies, like changes to registered services. This results in multiple long running TCP connections between CTS and the agent to poll changes for each dependency. Monitoring a high number of services may quickly hit the default Consul agent connection limits.
There are 2 ways to fix this issue. The first and recommended fix is to use HTTP/2 (requires HTTPS) to communicate between CTS and the Consul agent. When using HTTP/2 only a single connection is made and reused for all communications. See the [Consul Configuration section](/docs/nia/configuration#consul) for more. The other option is to configure [`limits.http_max_conns_per_client`](/docs/agent/options#http_max_conns_per_client) for the agent to a reasonable value proportional to the number of services monitored by CTS. There are two ways to fix this issue. The first and recommended fix is to use HTTP/2 (requires HTTPS) to communicate between CTS and the Consul agent. When using HTTP/2 only a single connection is made and reused for all communications. See the [Consul Configuration section](/docs/nia/configuration#consul) for more. The other option is to configure [`limits.http_max_conns_per_client`](/docs/agent/config/config-files#http_max_conns_per_client) for the agent to a reasonable value proportional to the number of services monitored by CTS.
### Register Services ### Register Services

View File

@ -21,7 +21,7 @@ page_title: 1.9.0
- **Active Health Checks for Consul on Kubernetes:** Consul service mesh now integrates with Kubernetes Readiness probes. This provides the ability to natively detect health status from Kubernetes via Readiness probe, and is then used for directing service mesh traffic. - **Active Health Checks for Consul on Kubernetes:** Consul service mesh now integrates with Kubernetes Readiness probes. This provides the ability to natively detect health status from Kubernetes via Readiness probe, and is then used for directing service mesh traffic.
- **Streaming:** This feature introduces a major architectural enhancement in how update notifications for blocking queries are delivered within the cluster. Streaming results in very significant reduction of CPU and network bandwidth usage on Consul servers in large-scale deployments. Streaming is particularly helpful in scaling blocking queries in Consul clusters that have rapid changes in service state. - **Streaming:** This feature introduces a major architectural enhancement in how update notifications for blocking queries are delivered within the cluster. Streaming results in very significant reduction of CPU and network bandwidth usage on Consul servers in large-scale deployments. Streaming is particularly helpful in scaling blocking queries in Consul clusters that have rapid changes in service state.
- Streaming is now available for the service health HTTP endpoint, and can be enabled through the [`use_streaming_backend`](/docs/agent/options#use_streaming_backend) client configuration option, and [`rpc.enable_streaming`](/docs/agent/options#rpc_enable_streaming) option on the servers. We will continue to enable streaming in more endpoints in subsequent releases. - Streaming is now available for the service health HTTP endpoint, and can be enabled through the [`use_streaming_backend`](/docs/agent/config/config-files#use_streaming_backend) client configuration option, and [`rpc.enable_streaming`](/docs/agent/config/config-files#rpc_enable_streaming) option on the servers. We will continue to enable streaming in more endpoints in subsequent releases.
## What's Changed ## What's Changed

View File

@ -89,7 +89,7 @@ and [Policies](/api/acl/policies).
~> **Warning**: In this document we use the deprecated ~> **Warning**: In this document we use the deprecated
configuration parameter `acl_datacenter`. In Consul 1.4 and newer the configuration parameter `acl_datacenter`. In Consul 1.4 and newer the
parameter has been updated to [`primary_datacenter`](/docs/agent/options#primary_datacenter). parameter has been updated to [`primary_datacenter`](/docs/agent/config/config-files#primary_datacenter).
Consul provides an optional Access Control List (ACL) system which can be used to control Consul provides an optional Access Control List (ACL) system which can be used to control
access to data and APIs. The ACL is access to data and APIs. The ACL is
@ -129,7 +129,7 @@ token are automatically applied. The anonymous token is managed using the
Tokens are bound to a set of rules that control which Consul resources the token Tokens are bound to a set of rules that control which Consul resources the token
has access to. Policies can be defined in either an allowlist or denylist mode has access to. Policies can be defined in either an allowlist or denylist mode
depending on the configuration of depending on the configuration of
[`acl_default_policy`](/docs/agent/options#acl_default_policy). If the default [`acl_default_policy`](/docs/agent/config/config-files#acl_default_policy). If the default
policy is to "deny" all actions, then token rules can be set to allowlist specific policy is to "deny" all actions, then token rules can be set to allowlist specific
actions. In the inverse, the "allow" all default behavior is a denylist where rules actions. In the inverse, the "allow" all default behavior is a denylist where rules
are used to prohibit actions. By default, Consul will allow all actions. are used to prohibit actions. By default, Consul will allow all actions.
@ -169,7 +169,7 @@ Constructing rules from these policies is covered in detail in the
#### ACL Datacenter #### ACL Datacenter
All nodes (clients and servers) must be configured with a All nodes (clients and servers) must be configured with a
[`acl_datacenter`](/docs/agent/options#acl_datacenter) which enables ACL [`acl_datacenter`](/docs/agent/config/config-files#acl_datacenter) which enables ACL
enforcement but also specifies the authoritative datacenter. Consul relies on enforcement but also specifies the authoritative datacenter. Consul relies on
[RPC forwarding](/docs/architecture) to support multi-datacenter [RPC forwarding](/docs/architecture) to support multi-datacenter
configurations. However, because requests can be made across datacenter boundaries, configurations. However, because requests can be made across datacenter boundaries,
@ -179,14 +179,14 @@ is considered authoritative and stores the canonical set of tokens.
When a request is made to an agent in a non-authoritative datacenter, it must be When a request is made to an agent in a non-authoritative datacenter, it must be
resolved into the appropriate policy. This is done by reading the token from the resolved into the appropriate policy. This is done by reading the token from the
authoritative server and caching the result for a configurable authoritative server and caching the result for a configurable
[`acl_ttl`](/docs/agent/options#acl_ttl). The implication of caching is that [`acl_ttl`](/docs/agent/config/config-files#acl_ttl). The implication of caching is that
the cache TTL is an upper bound on the staleness of policy that is enforced. It is the cache TTL is an upper bound on the staleness of policy that is enforced. It is
possible to set a zero TTL, but this has adverse performance impacts, as every possible to set a zero TTL, but this has adverse performance impacts, as every
request requires refreshing the policy via an RPC call. request requires refreshing the policy via an RPC call.
During an outage of the ACL datacenter, or loss of connectivity, the cache will be During an outage of the ACL datacenter, or loss of connectivity, the cache will be
used as long as the TTL is valid, or the cache may be extended if the used as long as the TTL is valid, or the cache may be extended if the
[`acl_down_policy`](/docs/agent/options#acl_down_policy) is set accordingly. [`acl_down_policy`](/docs/agent/config/config-files#acl_down_policy) is set accordingly.
This configuration also allows the ACL system to fail open or closed. This configuration also allows the ACL system to fail open or closed.
[ACL replication](#replication) is also available to allow for the full set of ACL [ACL replication](#replication) is also available to allow for the full set of ACL
tokens to be replicated for use during an outage. tokens to be replicated for use during an outage.
@ -198,10 +198,10 @@ as to whether they are set on servers, clients, or both.
| Configuration Option | Servers | Clients | Purpose | | Configuration Option | Servers | Clients | Purpose |
| --------------------------------------------------------------------- | ---------- | ---------- | ----------------------------------------------------------------------------------------- | | --------------------------------------------------------------------- | ---------- | ---------- | ----------------------------------------------------------------------------------------- |
| [`acl_datacenter`](/docs/agent/options#acl_datacenter) | `REQUIRED` | `REQUIRED` | Master control that enables ACLs by defining the authoritative Consul datacenter for ACLs | | [`acl_datacenter`](/docs/agent/config/config-files#acl_datacenter) | `REQUIRED` | `REQUIRED` | Master control that enables ACLs by defining the authoritative Consul datacenter for ACLs |
| [`acl_default_policy`](/docs/agent/options#acl_default_policy_legacy) | `OPTIONAL` | `N/A` | Determines allowlist or denylist mode | | [`acl_default_policy`](/docs/agent/config/config-files#acl_default_policy_legacy) | `OPTIONAL` | `N/A` | Determines allowlist or denylist mode |
| [`acl_down_policy`](/docs/agent/options#acl_down_policy_legacy) | `OPTIONAL` | `OPTIONAL` | Determines what to do when the ACL datacenter is offline | | [`acl_down_policy`](/docs/agent/config/config-files#acl_down_policy_legacy) | `OPTIONAL` | `OPTIONAL` | Determines what to do when the ACL datacenter is offline |
| [`acl_ttl`](/docs/agent/options#acl_ttl_legacy) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACLs | | [`acl_ttl`](/docs/agent/config/config-files#acl_ttl_legacy) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACLs |
There are some additional configuration items related to [ACL replication](#replication) and There are some additional configuration items related to [ACL replication](#replication) and
[Version 8 ACL support](#version_8_acls). These are discussed in those respective sections [Version 8 ACL support](#version_8_acls). These are discussed in those respective sections
@ -212,17 +212,17 @@ system, or accessing Consul in special situations:
| Special Token | Servers | Clients | Purpose | | Special Token | Servers | Clients | Purpose |
| ----------------------------------------------------------------------------- | ---------- | ---------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ----------------------------------------------------------------------------- | ---------- | ---------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [`acl_agent_master_token`](/docs/agent/options#acl_agent_master_token_legacy) | `OPTIONAL` | `OPTIONAL` | Special token that can be used to access [Agent API](/api/agent) when the ACL datacenter isn't available, or servers are offline (for clients); used for setting up the cluster such as doing initial join operations, see the [ACL Agent Master Token](#acl-agent-master-token) section for more details | | [`acl_agent_master_token`](/docs/agent/config/config-files#acl_agent_master_token_legacy) | `OPTIONAL` | `OPTIONAL` | Special token that can be used to access [Agent API](/api/agent) when the ACL datacenter isn't available, or servers are offline (for clients); used for setting up the cluster such as doing initial join operations, see the [ACL Agent Master Token](#acl-agent-master-token) section for more details |
| [`acl_agent_token`](/docs/agent/options#acl_agent_token_legacy) | `OPTIONAL` | `OPTIONAL` | Special token that is used for an agent's internal operations, see the [ACL Agent Token](#acl-agent-token) section for more details | | [`acl_agent_token`](/docs/agent/config/config-files#acl_agent_token_legacy) | `OPTIONAL` | `OPTIONAL` | Special token that is used for an agent's internal operations, see the [ACL Agent Token](#acl-agent-token) section for more details |
| [`acl_master_token`](/docs/agent/options#acl_master_token_legacy) | `REQUIRED` | `N/A` | Special token used to bootstrap the ACL system, see the [Bootstrapping ACLs](#bootstrapping-acls) section for more details | | [`acl_master_token`](/docs/agent/config/config-files#acl_master_token_legacy) | `REQUIRED` | `N/A` | Special token used to bootstrap the ACL system, see the [Bootstrapping ACLs](#bootstrapping-acls) section for more details |
| [`acl_token`](/docs/agent/options#acl_token_legacy) | `OPTIONAL` | `OPTIONAL` | Default token to use for client requests where no token is supplied; this is often configured with read-only access to services to enable DNS service discovery on agents | | [`acl_token`](/docs/agent/config/config-files#acl_token_legacy) | `OPTIONAL` | `OPTIONAL` | Default token to use for client requests where no token is supplied; this is often configured with read-only access to services to enable DNS service discovery on agents |
In Consul 0.9.1 and later, the agent ACL tokens can be introduced or updated via the In Consul 0.9.1 and later, the agent ACL tokens can be introduced or updated via the
[/v1/agent/token API](/api/agent#update-acl-tokens). [/v1/agent/token API](/api/agent#update-acl-tokens).
#### ACL Agent Master Token #### ACL Agent Master Token
Since the [`acl_agent_master_token`](/docs/agent/options#acl_agent_master_token_legacy) is designed to be used when the Consul servers are not available, its policy is managed locally on the agent and does not need to have a token defined on the Consul servers via the ACL API. Once set, it implicitly has the following policy associated with it (the `node` policy was added in Consul 0.9.0): Since the [`acl_agent_master_token`](/docs/agent/config/config-files#acl_agent_master_token_legacy) is designed to be used when the Consul servers are not available, its policy is managed locally on the agent and does not need to have a token defined on the Consul servers via the ACL API. Once set, it implicitly has the following policy associated with it (the `node` policy was added in Consul 0.9.0):
```hcl ```hcl
agent "<node name of agent>" { agent "<node name of agent>" {
@ -238,7 +238,7 @@ In Consul 0.9.1 and later, the agent ACL tokens can be introduced or updated via
#### ACL Agent Token #### ACL Agent Token
The [`acl_agent_token`](/docs/agent/options#acl_agent_token) is a special token that is used for an agent's internal operations. It isn't used directly for any user-initiated operations like the [`acl_token`](/docs/agent/options#acl_token), though if the `acl_agent_token` isn't configured the `acl_token` will be used. The ACL agent token is used for the following operations by the agent: The [`acl_agent_token`](/docs/agent/config/config-files#acl_agent_token) is a special token that is used for an agent's internal operations. It isn't used directly for any user-initiated operations like the [`acl_token`](/docs/agent/config/config-files#acl_token), though if the `acl_agent_token` isn't configured the `acl_token` will be used. The ACL agent token is used for the following operations by the agent:
1. Updating the agent's node entry using the [Catalog API](/api/catalog), including updating its node metadata, tagged addresses, and network coordinates 1. Updating the agent's node entry using the [Catalog API](/api/catalog), including updating its node metadata, tagged addresses, and network coordinates
2. Performing [anti-entropy](/docs/architecture/anti-entropy) syncing, in particular reading the node metadata and services registered with the catalog 2. Performing [anti-entropy](/docs/architecture/anti-entropy) syncing, in particular reading the node metadata and services registered with the catalog
@ -258,7 +258,7 @@ key "_rexec" {
} }
``` ```
The `service` policy needs `read` access for any services that can be registered on the agent. If [remote exec is disabled](/docs/agent/options#disable_remote_exec), the default, then the `key` policy can be omitted. The `service` policy needs `read` access for any services that can be registered on the agent. If [remote exec is disabled](/docs/agent/config/config-files#disable_remote_exec), the default, then the `key` policy can be omitted.
In Consul 0.9.1 and later, the agent ACL tokens can be introduced or updated via the In Consul 0.9.1 and later, the agent ACL tokens can be introduced or updated via the
[/v1/agent/token API](/api/agent#update-acl-tokens). [/v1/agent/token API](/api/agent#update-acl-tokens).
@ -294,12 +294,12 @@ The servers will need to be restarted to load the new configuration. Please take
to start the servers one at a time, and ensure each server has joined and is operating to start the servers one at a time, and ensure each server has joined and is operating
correctly before starting another. correctly before starting another.
The [`acl_master_token`](/docs/agent/options#acl_master_token) will be created The [`acl_master_token`](/docs/agent/config/config-files#acl_master_token) will be created
as a "management" type token automatically. The as a "management" type token automatically. The
[`acl_master_token`](/docs/agent/options#acl_master_token) is only installed when [`acl_master_token`](/docs/agent/config/config-files#acl_master_token) is only installed when
a server acquires cluster leadership. If you would like to install or change the a server acquires cluster leadership. If you would like to install or change the
[`acl_master_token`](/docs/agent/options#acl_master_token), set the new value for [`acl_master_token`](/docs/agent/config/config-files#acl_master_token), set the new value for
[`acl_master_token`](/docs/agent/options#acl_master_token) in the configuration [`acl_master_token`](/docs/agent/config/config-files#acl_master_token) in the configuration
for all servers. Once this is done, restart the current leader to force a leader election. for all servers. Once this is done, restart the current leader to force a leader election.
In Consul 0.9.1 and later, you can use the [/v1/acl/bootstrap API](/api-docs/acl#bootstrap-acls) In Consul 0.9.1 and later, you can use the [/v1/acl/bootstrap API](/api-docs/acl#bootstrap-acls)
@ -332,7 +332,7 @@ servers related to permission denied errors:
``` ```
These errors are because the agent doesn't yet have a properly configured These errors are because the agent doesn't yet have a properly configured
[`acl_agent_token`](/docs/agent/options#acl_agent_token) that it can use for its [`acl_agent_token`](/docs/agent/config/config-files#acl_agent_token) that it can use for its
own internal operations like updating its node information in the catalog and performing own internal operations like updating its node information in the catalog and performing
[anti-entropy](/docs/architecture/anti-entropy) syncing. We can create a token using the [anti-entropy](/docs/architecture/anti-entropy) syncing. We can create a token using the
ACL API, and the ACL master token we set in the previous step: ACL API, and the ACL master token we set in the previous step:
@ -550,9 +550,9 @@ The next section shows an alternative to the anonymous token.
#### Set Agent-Specific Default Tokens (Optional) #### Set Agent-Specific Default Tokens (Optional)
An alternative to the anonymous token is the [`acl_token`](/docs/agent/options#acl_token) An alternative to the anonymous token is the [`acl_token`](/docs/agent/config/config-files#acl_token)
configuration item. When a request is made to a particular Consul agent and no token is configuration item. When a request is made to a particular Consul agent and no token is
supplied, the [`acl_token`](/docs/agent/options#acl_token) will be used for the token, supplied, the [`acl_token`](/docs/agent/config/config-files#acl_token) will be used for the token,
instead of being left empty which would normally invoke the anonymous token. instead of being left empty which would normally invoke the anonymous token.
In Consul 0.9.1 and later, the agent ACL tokens can be introduced or updated via the In Consul 0.9.1 and later, the agent ACL tokens can be introduced or updated via the
@ -563,7 +563,7 @@ agent, if desired. For example, this allows more fine grained control of what DN
given agent can service, or can give the agent read access to some key-value store prefixes by given agent can service, or can give the agent read access to some key-value store prefixes by
default. default.
If using [`acl_token`](/docs/agent/options#acl_token), then it's likely the anonymous If using [`acl_token`](/docs/agent/config/config-files#acl_token), then it's likely the anonymous
token will have a more restrictive policy than shown in the examples here. token will have a more restrictive policy than shown in the examples here.
#### Create Tokens for UI Use (Optional) #### Create Tokens for UI Use (Optional)
@ -727,7 +727,7 @@ starts with "bar".
Since [Agent API](/api/agent) utility operations may be required before an agent is joined to Since [Agent API](/api/agent) utility operations may be required before an agent is joined to
a cluster, or during an outage of the Consul servers or ACL datacenter, a special token may be a cluster, or during an outage of the Consul servers or ACL datacenter, a special token may be
configured with [`acl_agent_master_token`](/docs/agent/options#acl_agent_master_token) to allow configured with [`acl_agent_master_token`](/docs/agent/config/config-files#acl_agent_master_token) to allow
write access to these operations even if no ACL resolution capability is available. write access to these operations even if no ACL resolution capability is available.
#### Event Rules #### Event Rules
@ -753,7 +753,7 @@ starts with "deploy".
The [`consul exec`](/commands/exec) command uses events with the "\_rexec" prefix during The [`consul exec`](/commands/exec) command uses events with the "\_rexec" prefix during
operation, so to enable this feature in a Consul environment with ACLs enabled, you will need to operation, so to enable this feature in a Consul environment with ACLs enabled, you will need to
give agents a token with access to this event prefix, in addition to configuring give agents a token with access to this event prefix, in addition to configuring
[`disable_remote_exec`](/docs/agent/options#disable_remote_exec) to `false`. [`disable_remote_exec`](/docs/agent/config/config-files#disable_remote_exec) to `false`.
#### Key/Value Rules #### Key/Value Rules
@ -861,13 +861,13 @@ the example above, the rules allow read-only access to any node name with the em
read-write access to any node name that starts with "app", and deny all access to any node name that read-write access to any node name that starts with "app", and deny all access to any node name that
starts with "admin". starts with "admin".
Agents need to be configured with an [`acl_agent_token`](/docs/agent/options#acl_agent_token) Agents need to be configured with an [`acl_agent_token`](/docs/agent/config/config-files#acl_agent_token)
with at least "write" privileges to their own node name in order to register their information with with at least "write" privileges to their own node name in order to register their information with
the catalog, such as node metadata and tagged addresses. If this is configured incorrectly, the agent the catalog, such as node metadata and tagged addresses. If this is configured incorrectly, the agent
will print an error to the console when it tries to sync its state with the catalog. will print an error to the console when it tries to sync its state with the catalog.
Consul's DNS interface is also affected by restrictions on node rules. If the Consul's DNS interface is also affected by restrictions on node rules. If the
[`acl_token`](/docs/agent/options#acl_token) used by the agent does not have "read" access to a [`acl_token`](/docs/agent/config/config-files#acl_token) used by the agent does not have "read" access to a
given node, then the DNS interface will return no records when queried for it. given node, then the DNS interface will return no records when queried for it.
When reading from the catalog or retrieving information from the health endpoints, node rules are When reading from the catalog or retrieving information from the health endpoints, node rules are
@ -880,7 +880,7 @@ periodic [anti-entropy](/docs/architecture/anti-entropy) syncs, which may requir
ACL token to complete. To accommodate this, Consul provides two methods of configuring ACL tokens ACL token to complete. To accommodate this, Consul provides two methods of configuring ACL tokens
to use for registration events: to use for registration events:
1. Using the [acl_token](/docs/agent/options#acl_token) configuration 1. Using the [acl_token](/docs/agent/config/config-files#acl_token) configuration
directive. This allows a single token to be configured globally and used directive. This allows a single token to be configured globally and used
during all check registration operations. during all check registration operations.
2. Providing an ACL token with service and check definitions at 2. Providing an ACL token with service and check definitions at
@ -891,7 +891,7 @@ to use for registration events:
[HTTP API](/api) for operations that require them. [HTTP API](/api) for operations that require them.
In addition to ACLs, in Consul 0.9.0 and later, the agent must be configured with In addition to ACLs, in Consul 0.9.0 and later, the agent must be configured with
[`enable_script_checks`](/docs/agent/options#_enable_script_checks) set to `true` in order to enable [`enable_script_checks`](/docs/agent/config/config-files#enable_script_checks) set to `true` in order to enable
script checks. script checks.
#### Operator Rules #### Operator Rules
@ -1025,7 +1025,7 @@ read-write access to any service name that starts with "app", and deny all acces
starts with "admin". starts with "admin".
Consul's DNS interface is affected by restrictions on service rules. If the Consul's DNS interface is affected by restrictions on service rules. If the
[`acl_token`](/docs/agent/options#acl_token) used by the agent does not have "read" access to a [`acl_token`](/docs/agent/config/config-files#acl_token) used by the agent does not have "read" access to a
given service, then the DNS interface will return no records when queried for it. given service, then the DNS interface will return no records when queried for it.
When reading from the catalog or retrieving information from the health endpoints, service rules are When reading from the catalog or retrieving information from the health endpoints, service rules are
@ -1037,7 +1037,7 @@ performs periodic [anti-entropy](/docs/architecture/anti-entropy) syncs, which m
ACL token to complete. To accommodate this, Consul provides two methods of configuring ACL tokens ACL token to complete. To accommodate this, Consul provides two methods of configuring ACL tokens
to use for registration events: to use for registration events:
1. Using the [acl_token](/docs/agent/options#acl_token) configuration 1. Using the [acl_token](/docs/agent/config/config-files#acl_token) configuration
directive. This allows a single token to be configured globally and used directive. This allows a single token to be configured globally and used
during all service and check registration operations. during all service and check registration operations.
2. Providing an ACL token with service and check definitions at registration 2. Providing an ACL token with service and check definitions at registration
@ -1048,12 +1048,12 @@ to use for registration events:
API](/api) for operations that require them. **Note:** all tokens API](/api) for operations that require them. **Note:** all tokens
passed to an agent are persisted on local disk to allow recovery from passed to an agent are persisted on local disk to allow recovery from
restarts. See [`-data-dir` flag restarts. See [`-data-dir` flag
documentation](/docs/agent/options#acl_token) for notes on securing documentation](/docs/agent/config/config-files#acl_token) for notes on securing
access. access.
In addition to ACLs, in Consul 0.9.0 and later, the agent must be configured with In addition to ACLs, in Consul 0.9.0 and later, the agent must be configured with
[`enable_script_checks`](/docs/agent/options#_enable_script_checks) or [`enable_script_checks`](/docs/agent/config/config-files#enable_script_checks) or
[`enable_local_script_checks`](/docs/agent/options#_enable_local_script_checks) [`enable_local_script_checks`](/docs/agent/config/config-files#enable_local_script_checks)
set to `true` in order to enable script checks. set to `true` in order to enable script checks.
#### Session Rules #### Session Rules
@ -1084,20 +1084,20 @@ name that starts with "admin".
#### Outages and ACL Replication ((#replication)) #### Outages and ACL Replication ((#replication))
The Consul ACL system is designed with flexible rules to accommodate for an outage The Consul ACL system is designed with flexible rules to accommodate for an outage
of the [`acl_datacenter`](/docs/agent/options#acl_datacenter) or networking of the [`acl_datacenter`](/docs/agent/config/config-files#acl_datacenter) or networking
issues preventing access to it. In this case, it may be impossible for issues preventing access to it. In this case, it may be impossible for
agents in non-authoritative datacenters to resolve tokens. Consul provides agents in non-authoritative datacenters to resolve tokens. Consul provides
a number of configurable [`acl_down_policy`](/docs/agent/options#acl_down_policy) a number of configurable [`acl_down_policy`](/docs/agent/config/config-files#acl_down_policy)
choices to tune behavior. It is possible to deny or permit all actions or to ignore choices to tune behavior. It is possible to deny or permit all actions or to ignore
cache TTLs and enter a fail-safe mode. The default is to ignore cache TTLs cache TTLs and enter a fail-safe mode. The default is to ignore cache TTLs
for any previously resolved tokens and to deny any uncached tokens. for any previously resolved tokens and to deny any uncached tokens.
Consul 0.7 added an ACL Replication capability that can allow non-authoritative Consul 0.7 added an ACL Replication capability that can allow non-authoritative
datacenter agents to resolve even uncached tokens. This is enabled by setting an datacenter agents to resolve even uncached tokens. This is enabled by setting an
[`acl_replication_token`](/docs/agent/options#acl_replication_token) in the [`acl_replication_token`](/docs/agent/config/config-files#acl_replication_token) in the
configuration on the servers in the non-authoritative datacenters. In Consul configuration on the servers in the non-authoritative datacenters. In Consul
0.9.1 and later you can enable ACL replication using 0.9.1 and later you can enable ACL replication using
[`enable_acl_replication`](/docs/agent/options#enable_acl_replication) and [`enable_acl_replication`](/docs/agent/config/config-files#enable_acl_replication) and
then set the token later using the then set the token later using the
[agent token API](/api/agent#update-acl-tokens) on each server. This can [agent token API](/api/agent#update-acl-tokens) on each server. This can
also be used to rotate the token without restarting the Consul servers. also be used to rotate the token without restarting the Consul servers.
@ -1113,7 +1113,7 @@ every 30 seconds. Replicated changes are written at a rate that's throttled to
a large set of ACLs. a large set of ACLs.
If there's a partition or other outage affecting the authoritative datacenter, If there's a partition or other outage affecting the authoritative datacenter,
and the [`acl_down_policy`](/docs/agent/options#acl_down_policy) and the [`acl_down_policy`](/docs/agent/config/config-files#acl_down_policy)
is set to "extend-cache", tokens will be resolved during the outage using the is set to "extend-cache", tokens will be resolved during the outage using the
replicated set of ACLs. An [ACL replication status](/api-docs/acl#check-acl-replication) replicated set of ACLs. An [ACL replication status](/api-docs/acl#check-acl-replication)
endpoint is available to monitor the health of the replication process. endpoint is available to monitor the health of the replication process.
@ -1123,7 +1123,7 @@ already cached and is expired while similar semantics than "extend-cache".
It allows to avoid having issues when connectivity with the authoritative is not completely It allows to avoid having issues when connectivity with the authoritative is not completely
broken, but very slow. broken, but very slow.
Locally-resolved ACLs will be cached using the [`acl_ttl`](/docs/agent/options#acl_ttl) Locally-resolved ACLs will be cached using the [`acl_ttl`](/docs/agent/config/config-files#acl_ttl)
setting of the non-authoritative datacenter, so these entries may persist in the setting of the non-authoritative datacenter, so these entries may persist in the
cache for up to the TTL, even after the authoritative datacenter comes back online. cache for up to the TTL, even after the authoritative datacenter comes back online.
@ -1149,7 +1149,7 @@ Consul 0.8 added many more ACL policy types and brought ACL enforcement to Consu
agents for the first time. To ease the transition to Consul 0.8 for existing ACL agents for the first time. To ease the transition to Consul 0.8 for existing ACL
users, there's a configuration option to disable these new features. To disable users, there's a configuration option to disable these new features. To disable
support for these new ACLs, set the support for these new ACLs, set the
[`acl_enforce_version_8`](/docs/agent/options#acl_enforce_version_8) configuration [`acl_enforce_version_8`](/docs/agent/config/config-files#acl_enforce_version_8) configuration
option to `false` on Consul clients and servers. option to `false` on Consul clients and servers.
Here's a summary of the new features: Here's a summary of the new features:
@ -1172,31 +1172,31 @@ Here's a summary of the new features:
Two new configuration options are used once version 8 ACLs are enabled: Two new configuration options are used once version 8 ACLs are enabled:
- [`acl_agent_master_token`](/docs/agent/options#acl_agent_master_token) is used as - [`acl_agent_master_token`](/docs/agent/config/config-files#acl_agent_master_token) is used as
a special access token that has `agent` ACL policy `write` privileges on each agent where a special access token that has `agent` ACL policy `write` privileges on each agent where
it is configured, as well as `node` ACL policy `read` privileges for all nodes. This token it is configured, as well as `node` ACL policy `read` privileges for all nodes. This token
should only be used by operators during outages when Consul servers aren't available to should only be used by operators during outages when Consul servers aren't available to
resolve ACL tokens. Applications should use regular ACL tokens during normal operation. resolve ACL tokens. Applications should use regular ACL tokens during normal operation.
- [`acl_agent_token`](/docs/agent/options#acl_agent_token) is used internally by - [`acl_agent_token`](/docs/agent/config/config-files#acl_agent_token) is used internally by
Consul agents to perform operations to the service catalog when registering themselves Consul agents to perform operations to the service catalog when registering themselves
or sending network coordinates to the servers. This token must at least have `node` ACL or sending network coordinates to the servers. This token must at least have `node` ACL
policy `write` access to the node name it will register as in order to register any policy `write` access to the node name it will register as in order to register any
node-level information like metadata or tagged addresses. node-level information like metadata or tagged addresses.
Since clients now resolve ACLs locally, the [`acl_down_policy`](/docs/agent/options#acl_down_policy) Since clients now resolve ACLs locally, the [`acl_down_policy`](/docs/agent/config/config-files#acl_down_policy)
now applies to Consul clients as well as Consul servers. This will determine what the now applies to Consul clients as well as Consul servers. This will determine what the
client will do in the event that the servers are down. client will do in the event that the servers are down.
Consul clients must have [`acl_datacenter`](/docs/agent/options#acl_datacenter) configured Consul clients must have [`acl_datacenter`](/docs/agent/config/config-files#acl_datacenter) configured
in order to enable agent-level ACL features. If this is set, the agents will contact the Consul in order to enable agent-level ACL features. If this is set, the agents will contact the Consul
servers to determine if ACLs are enabled at the cluster level. If they detect that ACLs are not servers to determine if ACLs are enabled at the cluster level. If they detect that ACLs are not
enabled, they will check at most every 2 minutes to see if they have become enabled, and will enabled, they will check at most every 2 minutes to see if they have become enabled, and will
start enforcing ACLs automatically. If an agent has an `acl_datacenter` defined, operators will start enforcing ACLs automatically. If an agent has an `acl_datacenter` defined, operators will
need to use the [`acl_agent_master_token`](/docs/agent/options#acl_agent_master_token) to need to use the [`acl_agent_master_token`](/docs/agent/config/config-files#acl_agent_master_token) to
perform agent-level operations if the Consul servers aren't present (such as for a manual join perform agent-level operations if the Consul servers aren't present (such as for a manual join
to the cluster), unless the [`acl_down_policy`](/docs/agent/options#acl_down_policy) on the to the cluster), unless the [`acl_down_policy`](/docs/agent/config/config-files#acl_down_policy) on the
agent is set to "allow". agent is set to "allow".
Non-server agents do not need to have the Non-server agents do not need to have the
[`acl_master_token`](/docs/agent/options#acl_master_token) configured; it is not [`acl_master_token`](/docs/agent/config/config-files#acl_master_token) configured; it is not
used by agents in any way. used by agents in any way.

View File

@ -227,7 +227,7 @@ with `bar`.
Since [Agent API](/api/agent) utility operations may be required before an agent is joined to Since [Agent API](/api/agent) utility operations may be required before an agent is joined to
a cluster, or during an outage of the Consul servers or ACL datacenter, a special token may be a cluster, or during an outage of the Consul servers or ACL datacenter, a special token may be
configured with [`acl.tokens.agent_recovery`](/docs/agent/options#acl_tokens_agent_recovery) to allow configured with [`acl.tokens.agent_recovery`](/docs/agent/config/config-files#acl_tokens_agent_recovery) to allow
write access to these operations even if no ACL resolution capability is available. write access to these operations even if no ACL resolution capability is available.
## Event Rules ## Event Rules
@ -272,7 +272,7 @@ read-only access to any event, and firing of the "deploy" event.
The [`consul exec`](/commands/exec) command uses events with the "\_rexec" prefix during The [`consul exec`](/commands/exec) command uses events with the "\_rexec" prefix during
operation, so to enable this feature in a Consul environment with ACLs enabled, you will need to operation, so to enable this feature in a Consul environment with ACLs enabled, you will need to
give agents a token with access to this event prefix, in addition to configuring give agents a token with access to this event prefix, in addition to configuring
[`disable_remote_exec`](/docs/agent/options#disable_remote_exec) to `false`. [`disable_remote_exec`](/docs/agent/config/config-files#disable_remote_exec) to `false`.
## Key/Value Rules ## Key/Value Rules
@ -640,21 +640,21 @@ node "admin" {
Agents must be configured with `write` privileges for their own node name so that the agent can register their node metadata, tagged addresses, and other information in the catalog. Agents must be configured with `write` privileges for their own node name so that the agent can register their node metadata, tagged addresses, and other information in the catalog.
If configured incorrectly, the agent will print an error to the console when it tries to sync its state with the catalog. If configured incorrectly, the agent will print an error to the console when it tries to sync its state with the catalog.
Configure `write` access in the [`acl.tokens.agent`](/docs/agent/options#acl_tokens_agent) parameter. Configure `write` access in the [`acl.tokens.agent`](/docs/agent/config/config-files#acl_tokens_agent) parameter.
The [`acl.token.default`](/docs/agent/options#acl_tokens_default) used by the agent should have `read` access to a given node so that the DNS interface can be queried. The [`acl.token.default`](/docs/agent/config/config-files#acl_tokens_default) used by the agent should have `read` access to a given node so that the DNS interface can be queried.
Node rules are used to filter query results when reading from the catalog or retrieving information from the health endpoints. This allows for configurations where a token has access to a given service name, but only on an allowed subset of node names. Node rules are used to filter query results when reading from the catalog or retrieving information from the health endpoints. This allows for configurations where a token has access to a given service name, but only on an allowed subset of node names.
Consul agents check tokens locally when health checks are registered and when Consul performs periodic [anti-entropy](/docs/architecture/anti-entropy) syncs. Consul agents check tokens locally when health checks are registered and when Consul performs periodic [anti-entropy](/docs/architecture/anti-entropy) syncs.
These actions may required an ACL token to complete. Use the following methods to configure ACL tokens for registration events: These actions may required an ACL token to complete. Use the following methods to configure ACL tokens for registration events:
- Configure a global token in the [acl.tokens.default](/docs/agent/options#acl_tokens_default) parameter. * Configure a global token in the [acl.tokens.default](/docs/agent/config/config-files#acl_tokens_default) parameter.
This allows a single token to be used during all check registration operations. This allows a single token to be used during all check registration operations.
- Provide an ACL token with `service` and `check` definitions at registration time. * Provide an ACL token with `service` and `check` definitions at registration time.
This allows for greater flexibility and enables the use of multiple tokens on the same agent. This allows for greater flexibility and enables the use of multiple tokens on the same agent.
Refer to the [services](/docs/agent/services) and [checks](/docs/agent/checks) documentation for examples. Refer to the [services](/docs/discovery/services) and [checks](/docs/discovery/checks) documentation for examples.
Tokens may also be passed to the [HTTP API](/api) for operations that require them. Tokens may also be passed to the [HTTP API](/api) for operations that require them.
## Operator Rules ## Operator Rules
@ -835,7 +835,7 @@ service "admin" {
</CodeTabs> </CodeTabs>
Consul's DNS interface is affected by restrictions on service rules. If the Consul's DNS interface is affected by restrictions on service rules. If the
[`acl.tokens.default`](/docs/agent/options#acl_tokens_default) used by the agent does not have `read` access to a [`acl.tokens.default`](/docs/agent/config/config-files#acl_tokens_default) used by the agent does not have `read` access to a
given service, then the DNS interface will return no records when queried for it. given service, then the DNS interface will return no records when queried for it.
When reading from the catalog or retrieving information from the health endpoints, service rules are When reading from the catalog or retrieving information from the health endpoints, service rules are
@ -847,7 +847,7 @@ performs periodic [anti-entropy](/docs/architecture/anti-entropy) syncs, which m
ACL token to complete. To accommodate this, Consul provides two methods of configuring ACL tokens ACL token to complete. To accommodate this, Consul provides two methods of configuring ACL tokens
to use for registration events: to use for registration events:
1. Using the [acl.tokens.default](/docs/agent/options#acl_tokens_default) configuration 1. Using the [acl.tokens.default](/docs/agent/config/config-files#acl_tokens_default) configuration
directive. This allows a single token to be configured globally and used directive. This allows a single token to be configured globally and used
during all service and check registration operations. during all service and check registration operations.
2. Providing an ACL token with service and check definitions at registration 2. Providing an ACL token with service and check definitions at registration
@ -858,12 +858,12 @@ to use for registration events:
API](/api) for operations that require them. **Note:** all tokens API](/api) for operations that require them. **Note:** all tokens
passed to an agent are persisted on local disk to allow recovery from passed to an agent are persisted on local disk to allow recovery from
restarts. See [`-data-dir` flag restarts. See [`-data-dir` flag
documentation](/docs/agent/options#acl_token) for notes on securing documentation](/docs/agent/config/config-files#acl_token) for notes on securing
access. access.
In addition to ACLs, in Consul 0.9.0 and later, the agent must be configured with In addition to ACLs, in Consul 0.9.0 and later, the agent must be configured with
[`enable_script_checks`](/docs/agent/options#_enable_script_checks) or [`enable_script_checks`](/docs/agent/config/config-files#enable_script_checks) or
[`enable_local_script_checks`](/docs/agent/options#_enable_local_script_checks) [`enable_local_script_checks`](/docs/agent/config/config-files#enable_local_script_checks)
set to `true` in order to enable script checks. set to `true` in order to enable script checks.
Service rules are also used to grant read or write access to intentions. The Service rules are also used to grant read or write access to intentions. The

View File

@ -60,7 +60,7 @@ using the API or command line before they can be used by applications.
endpoints](/api/acl/binding-rules). endpoints](/api/acl/binding-rules).
-> **Note** - To configure auth methods in any connected secondary datacenter, -> **Note** - To configure auth methods in any connected secondary datacenter,
[ACL token replication](/docs/agent/options#acl_enable_token_replication) [ACL token replication](/docs/agent/config/config-files#acl_enable_token_replication)
must be enabled. Auth methods require the ability to create local tokens which must be enabled. Auth methods require the ability to create local tokens which
is restricted to the primary datacenter and any secondary datacenters with ACL is restricted to the primary datacenter and any secondary datacenters with ACL
token replication enabled. token replication enabled.

View File

@ -75,17 +75,17 @@ CA then signs keys for each of the agents, as in
~> Certificates need to be created with x509v3 extendedKeyUsage attributes for both clientAuth and serverAuth since Consul uses a single cert/key pair for both server and client communications. ~> Certificates need to be created with x509v3 extendedKeyUsage attributes for both clientAuth and serverAuth since Consul uses a single cert/key pair for both server and client communications.
TLS can be used to verify the authenticity of the servers or verify the authenticity of clients. TLS can be used to verify the authenticity of the servers or verify the authenticity of clients.
These modes are controlled by the [`verify_outgoing`](/docs/agent/options#verify_outgoing), These modes are controlled by the [`verify_outgoing`](/docs/agent/config/config-files#verify_outgoing),
[`verify_server_hostname`](/docs/agent/options#verify_server_hostname), [`verify_server_hostname`](/docs/agent/config/config-files#verify_server_hostname),
and [`verify_incoming`](/docs/agent/options#verify_incoming) options, respectively. and [`verify_incoming`](/docs/agent/config/config-files#verify_incoming) options, respectively.
If [`verify_outgoing`](/docs/agent/options#verify_outgoing) is set, agents verify the If [`verify_outgoing`](/docs/agent/config/config-files#verify_outgoing) is set, agents verify the
authenticity of Consul for outgoing connections. Server nodes must present a certificate signed authenticity of Consul for outgoing connections. Server nodes must present a certificate signed
by a common certificate authority present on all agents, set via the agent's by a common certificate authority present on all agents, set via the agent's
[`ca_file`](/docs/agent/options#ca_file) and [`ca_path`](/docs/agent/options#ca_path) [`ca_file`](/docs/agent/config/config-files#ca_file) and [`ca_path`](/docs/agent/config/config-files#ca_path)
options. All server nodes must have an appropriate key pair set using [`cert_file`](/docs/agent/options#cert_file) and [`key_file`](/docs/agent/options#key_file). options. All server nodes must have an appropriate key pair set using [`cert_file`](/docs/agent/config/config-files#cert_file) and [`key_file`](/docs/agent/config/config-files#key_file).
If [`verify_server_hostname`](/docs/agent/options#verify_server_hostname) is set, then If [`verify_server_hostname`](/docs/agent/config/config-files#verify_server_hostname) is set, then
outgoing connections perform hostname verification. All servers must have a certificate outgoing connections perform hostname verification. All servers must have a certificate
valid for `server.<datacenter>.<domain>` or the client will reject the handshake. This is valid for `server.<datacenter>.<domain>` or the client will reject the handshake. This is
a new configuration as of 0.5.1, and it is used to prevent a compromised client from being a new configuration as of 0.5.1, and it is used to prevent a compromised client from being
@ -93,12 +93,12 @@ able to restart in server mode and perform a MITM (Man-In-The-Middle) attack. Ne
to true, and generate the proper certificates, but this is defaulted to false to avoid breaking to true, and generate the proper certificates, but this is defaulted to false to avoid breaking
existing deployments. existing deployments.
If [`verify_incoming`](/docs/agent/options#verify_incoming) is set, the servers verify the If [`verify_incoming`](/docs/agent/config/config-files#verify_incoming) is set, the servers verify the
authenticity of all incoming connections. All clients must have a valid key pair set using authenticity of all incoming connections. All clients must have a valid key pair set using
[`cert_file`](/docs/agent/options#cert_file) and [`cert_file`](/docs/agent/config/config-files#cert_file) and
[`key_file`](/docs/agent/options#key_file). Servers will [`key_file`](/docs/agent/config/config-files#key_file). Servers will
also disallow any non-TLS connections. To force clients to use TLS, also disallow any non-TLS connections. To force clients to use TLS,
[`verify_outgoing`](/docs/agent/options#verify_outgoing) must also be set. [`verify_outgoing`](/docs/agent/config/config-files#verify_outgoing) must also be set.
TLS is used to secure the RPC calls between agents, but gossip between nodes is done over UDP TLS is used to secure the RPC calls between agents, but gossip between nodes is done over UDP
and is secured using a symmetric key. See above for enabling gossip encryption. and is secured using a symmetric key. See above for enabling gossip encryption.

View File

@ -72,28 +72,28 @@ environment and adapt these configurations accordingly.
- **mTLS** - Mutual authentication of both the TLS server and client x509 certificates prevents internal abuse through - **mTLS** - Mutual authentication of both the TLS server and client x509 certificates prevents internal abuse through
unauthorized access to Consul agents within the cluster. unauthorized access to Consul agents within the cluster.
- [`verify_incoming`](/docs/agent/options#verify_incoming) - By default this is false, and should almost always be set - [`verify_incoming`](/docs/agent/config/config-files#verify_incoming) - By default this is false, and should almost always be set
to true to require TLS verification for incoming client connections. This applies to both server RPC and to the to true to require TLS verification for incoming client connections. This applies to both server RPC and to the
HTTPS API. HTTPS API.
- [`verify_incoming_https`](/docs/agent/options#verify_incoming_https) - By default this is false, and should be set - [`verify_incoming_https`](/docs/agent/config/config-files#verify_incoming_https) - By default this is false, and should be set
to true to require clients to provide a valid TLS certificate when the Consul HTTPS API is enabled. TLS for the API to true to require clients to provide a valid TLS certificate when the Consul HTTPS API is enabled. TLS for the API
may be not be necessary if it is exclusively served over a loopback interface such as `localhost`. may be not be necessary if it is exclusively served over a loopback interface such as `localhost`.
- [`verify_incoming_rpc`](/docs/agent/options#verify_incoming_rpc) - By default this is false, and should almost - [`verify_incoming_rpc`](/docs/agent/config/config-files#verify_incoming_rpc) - By default this is false, and should almost
always be set to true to require clients to provide a valid TLS certificate for Consul agent RPCs. always be set to true to require clients to provide a valid TLS certificate for Consul agent RPCs.
- [`verify_outgoing`](/docs/agent/options#verify_outgoing) - By default this is false, and should be set to true to - [`verify_outgoing`](/docs/agent/config/config-files#verify_outgoing) - By default this is false, and should be set to true to
require TLS for outgoing connections from server or client agents. Servers that specify `verify_outgoing = true` require TLS for outgoing connections from server or client agents. Servers that specify `verify_outgoing = true`
will always talk to other servers over TLS, but they still accept non-TLS connections to allow for a transition of will always talk to other servers over TLS, but they still accept non-TLS connections to allow for a transition of
all clients to TLS. Currently the only way to enforce that no client can communicate with a server unencrypted is all clients to TLS. Currently the only way to enforce that no client can communicate with a server unencrypted is
to also enable `verify_incoming` which requires client certificates too. to also enable `verify_incoming` which requires client certificates too.
- [`enable_agent_tls_for_checks`](/docs/agent/options#enable_agent_tls_for_checks) - By default this is false, and - [`enable_agent_tls_for_checks`](/docs/agent/config/config-files#enable_agent_tls_for_checks) - By default this is false, and
should almost always be set to true to require mTLS to set up the client for HTTP or gRPC health checks. This was should almost always be set to true to require mTLS to set up the client for HTTP or gRPC health checks. This was
added in Consul 1.0.1. added in Consul 1.0.1.
- [`verify_server_hostname`](/docs/agent/options#verify_server_hostname) - By default this is false, and should be - [`verify_server_hostname`](/docs/agent/config/config-files#verify_server_hostname) - By default this is false, and should be
set to true to require that the TLS certificate presented by the servers matches set to true to require that the TLS certificate presented by the servers matches
`server.<datacenter>.<domain>` hostname for outgoing TLS connections. The default configuration does not verify the `server.<datacenter>.<domain>` hostname for outgoing TLS connections. The default configuration does not verify the
hostname of the certificate, only that it is signed by a trusted CA. This setting is critical to prevent a hostname of the certificate, only that it is signed by a trusted CA. This setting is critical to prevent a
@ -104,14 +104,14 @@ environment and adapt these configurations accordingly.
[CVE-2018-19653](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19653) for more details. This is fixed [CVE-2018-19653](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19653) for more details. This is fixed
in 1.4.1. in 1.4.1.
- [`auto_encrypt`](/docs/agent/options#auto_encrypt) - Enables automated TLS certificate distribution for client - [`auto_encrypt`](/docs/agent/config/config-files#auto_encrypt) - Enables automated TLS certificate distribution for client
agent RPC communication using the Connect CA. Using this configuration a [`ca_file`](/docs/agent/options#ca_file) agent RPC communication using the Connect CA. Using this configuration a [`ca_file`](/docs/agent/config/config-files#ca_file)
and ACL token would still need to be distributed to client agents. and ACL token would still need to be distributed to client agents.
- [`allow_tls`](/docs/agent/options#allow_tls) - By default this is false, and should be set to true on server - [`allow_tls`](/docs/agent/config/config-files#allow_tls) - By default this is false, and should be set to true on server
agents to allow certificates to be automatically generated and distributed from the Connect CA to client agents. agents to allow certificates to be automatically generated and distributed from the Connect CA to client agents.
- [`tls`](/docs/agent/options#tls) - By default this is false, and should be set to true on client agents to - [`tls`](/docs/agent/config/config-files#tls) - By default this is false, and should be set to true on client agents to
automatically request a client TLS certificate from the server's Connect CA. automatically request a client TLS certificate from the server's Connect CA.
**Example Server Agent TLS Configuration** **Example Server Agent TLS Configuration**
@ -144,7 +144,7 @@ environment and adapt these configurations accordingly.
} }
``` ```
-> The client agent TLS configuration from above sets [`verify_incoming`](/docs/agent/options#verify_incoming) to -> The client agent TLS configuration from above sets [`verify_incoming`](/docs/agent/config/config-files#verify_incoming) to
false which assumes all incoming traffic is restricted to `localhost`. The primary benefit for this configuration false which assumes all incoming traffic is restricted to `localhost`. The primary benefit for this configuration
would be to avoid provisioning client TLS certificates (in addition to ACL tokens) for all tools or applications would be to avoid provisioning client TLS certificates (in addition to ACL tokens) for all tools or applications
using the local Consul agent. In this case ACLs should be enabled to provide authorization and only ACL tokens would using the local Consul agent. In this case ACLs should be enabled to provide authorization and only ACL tokens would
@ -152,7 +152,7 @@ environment and adapt these configurations accordingly.
- **ACLs** - The access control list (ACL) system provides a security mechanism for Consul administrators to grant - **ACLs** - The access control list (ACL) system provides a security mechanism for Consul administrators to grant
capabilities tied to an individual human, or machine operator identity. To ultimately secure the ACL system, capabilities tied to an individual human, or machine operator identity. To ultimately secure the ACL system,
administrators should configure the [`default_policy`](/docs/agent/options#acl_default_policy) to "deny". administrators should configure the [`default_policy`](/docs/agent/config/config-files#acl_default_policy) to "deny".
The [system](/docs/security/acl/acl-system) is comprised of five major components: The [system](/docs/security/acl/acl-system) is comprised of five major components:
@ -179,10 +179,10 @@ environment and adapt these configurations accordingly.
Two optional gossip encryption options enable Consul servers without gossip encryption to safely upgrade. After Two optional gossip encryption options enable Consul servers without gossip encryption to safely upgrade. After
upgrading, the verification options should be enabled, or removed to set them to their default state: upgrading, the verification options should be enabled, or removed to set them to their default state:
- [`encrypt_verify_incoming`](/docs/agent/options#encrypt_verify_incoming) - By default this is true to enforce - [`encrypt_verify_incoming`](/docs/agent/config/config-files#encrypt_verify_incoming) - By default this is true to enforce
encryption on _incoming_ gossip communications. encryption on _incoming_ gossip communications.
- [`encrypt_verify_outgoing`](/docs/agent/options#encrypt_verify_outgoing) - By default this is true to enforce - [`encrypt_verify_outgoing`](/docs/agent/config/config-files#encrypt_verify_outgoing) - By default this is true to enforce
encryption on _outgoing_ gossip communications. encryption on _outgoing_ gossip communications.
- **Namespaces** <EnterpriseAlert inline /> - Read and write operations should be scoped to logical namespaces to - **Namespaces** <EnterpriseAlert inline /> - Read and write operations should be scoped to logical namespaces to
@ -223,19 +223,19 @@ environment and adapt these configurations accordingly.
- **Linux Security Modules** - Use of security modules that can be directly integrated into operating systems such as - **Linux Security Modules** - Use of security modules that can be directly integrated into operating systems such as
AppArmor, SElinux, and Seccomp on Consul agent hosts. AppArmor, SElinux, and Seccomp on Consul agent hosts.
- **Customize TLS Settings** - TLS settings such as the [available cipher suites](/docs/agent/options#tls_cipher_suites), - **Customize TLS Settings** - TLS settings such as the [available cipher suites](/docs/agent/config/config-files#tls_cipher_suites),
should be tuned to fit the needs of your environment. should be tuned to fit the needs of your environment.
- [`tls_min_version`](/docs/agent/options#tls_min_version) - Used to specify the minimum TLS version to use. - [`tls_min_version`](/docs/agent/config/config-files#tls_min_version) - Used to specify the minimum TLS version to use.
- [`tls_cipher_suites`](/docs/agent/options#tls_cipher_suites) - Used to specify which TLS cipher suites are allowed. - [`tls_cipher_suites`](/docs/agent/config/config-files#tls_cipher_suites) - Used to specify which TLS cipher suites are allowed.
- [`tls_prefer_server_cipher_suites`](/docs/agent/options#tls_prefer_server_cipher_suites) - Used to specify which TLS - [`tls_prefer_server_cipher_suites`](/docs/agent/config/config-files#tls_prefer_server_cipher_suites) - Used to specify which TLS
cipher suites are preferred on the server side. cipher suites are preferred on the server side.
- **Customize HTTP Response Headers** - Additional security headers, such as - **Customize HTTP Response Headers** - Additional security headers, such as
[`X-XSS-Protection`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection), can be [`X-XSS-Protection`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection), can be
[configured](/docs/agent/options#response_headers) for HTTP API responses. [configured](/docs/agent/config/config-files#response_headers) for HTTP API responses.
```hcl ```hcl
http_config { http_config {
@ -248,28 +248,28 @@ environment and adapt these configurations accordingly.
- **Customize Default Limits** - Consul has a number of builtin features with default connection limits that should be - **Customize Default Limits** - Consul has a number of builtin features with default connection limits that should be
tuned to fit your environment. tuned to fit your environment.
- [`http_max_conns_per_client`](/docs/agent/options#http_max_conns_per_client) - Used to limit concurrent access from - [`http_max_conns_per_client`](/docs/agent/config/config-files#http_max_conns_per_client) - Used to limit concurrent access from
a single client to the HTTP(S) endpoint on Consul agents. a single client to the HTTP(S) endpoint on Consul agents.
- [`https_handshake_timeout`](/docs/agent/options#https_handshake_timeout) - Used to timeout TLS connection for the - [`https_handshake_timeout`](/docs/agent/config/config-files#https_handshake_timeout) - Used to timeout TLS connection for the
HTTP(S) endpoint for Consul agents. HTTP(S) endpoint for Consul agents.
- [`rpc_handshake_timeout`](/docs/agent/options#rpc_handshake_timeout) - Used to timeout TLS connections for the RPC - [`rpc_handshake_timeout`](/docs/agent/config/config-files#rpc_handshake_timeout) - Used to timeout TLS connections for the RPC
endpoint for Consul agents. endpoint for Consul agents.
- [`rpc_max_conns_per_client`](/docs/agent/options#rpc_max_conns_per_client) - Used to limit concurrent access from a - [`rpc_max_conns_per_client`](/docs/agent/config/config-files#rpc_max_conns_per_client) - Used to limit concurrent access from a
single client to the RPC endpoint on Consul agents. single client to the RPC endpoint on Consul agents.
- [`rpc_rate`](/docs/agent/options#rpc_rate) - Disabled by default, this is used to limit (requests/second) for client - [`rpc_rate`](/docs/agent/config/config-files#rpc_rate) - Disabled by default, this is used to limit (requests/second) for client
agents making RPC calls to server agents. agents making RPC calls to server agents.
- [`rpc_max_burst`](/docs/agent/options#rpc_max_burst) - Used as the token bucket size for client agents making RPC - [`rpc_max_burst`](/docs/agent/config/config-files#rpc_max_burst) - Used as the token bucket size for client agents making RPC
calls to server agents. calls to server agents.
- [`kv_max_value_size`](/docs/agent/options#kv_max_value_size) - Used to configure the max number of bytes in a - [`kv_max_value_size`](/docs/agent/config/config-files#kv_max_value_size) - Used to configure the max number of bytes in a
key-value API request. key-value API request.
- [`txn_max_req_len`](/docs/agent/options#txn_max_req_len) - Used to configure the max number of bytes in a - [`txn_max_req_len`](/docs/agent/config/config-files#txn_max_req_len) - Used to configure the max number of bytes in a
transaction API request. transaction API request.
- **Secure UI Access** - Access to Consuls builtin UI can be secured in various ways: - **Secure UI Access** - Access to Consuls builtin UI can be secured in various ways:
@ -289,7 +289,7 @@ environment and adapt these configurations accordingly.
[Securing Consul with Access Control Lists (ACLs)](https://learn.hashicorp.com/tutorials/consul/access-control-setup-production), [Securing Consul with Access Control Lists (ACLs)](https://learn.hashicorp.com/tutorials/consul/access-control-setup-production),
which includes a section on [creating ACL tokens that provide a desired level UI access](https://learn.hashicorp.com/tutorials/consul/access-control-setup-production#consul-ui-token). which includes a section on [creating ACL tokens that provide a desired level UI access](https://learn.hashicorp.com/tutorials/consul/access-control-setup-production#consul-ui-token).
- **Restrict HTTP Writes** - Using the [`allow_write_http_from`](/docs/agent/options#allow_write_http_from) - **Restrict HTTP Writes** - Using the [`allow_write_http_from`](/docs/agent/config/config-files#allow_write_http_from)
configuration option to restrict write access for agent endpoints to hosts on the specified list of CIDRs. configuration option to restrict write access for agent endpoints to hosts on the specified list of CIDRs.
**Example Agent Configuration** **Example Agent Configuration**

View File

@ -198,14 +198,14 @@ We recommend raising an issue with the CNI you're using to add support for `host
and switching back to `hostPort` eventually. and switching back to `hostPort` eventually.
[troubleshooting]: https://learn.hashicorp.com/consul/day-2-operations/advanced-operations/troubleshooting [troubleshooting]: https://learn.hashicorp.com/consul/day-2-operations/advanced-operations/troubleshooting
[node_name]: /docs/agent/options#node_name [node_name]: /docs/agent/config/config-files#node_name
[retry_join]: /docs/agent/options#retry-join [retry_join]: /docs/agent/config/cli-flags#retry-join
[license]: /commands/license [license]: /commands/license
[releases]: https://releases.hashicorp.com/consul/ [releases]: https://releases.hashicorp.com/consul/
[files]: https://easyengine.io/tutorials/linux/increase-open-files-limit [files]: https://easyengine.io/tutorials/linux/increase-open-files-limit
[certificates]: https://learn.hashicorp.com/consul/advanced/day-1-operations/certificates [certificates]: https://learn.hashicorp.com/consul/advanced/day-1-operations/certificates
[systemd]: https://learn.hashicorp.com/consul/advanced/day-1-operations/deployment-guide#configure-systemd [systemd]: https://learn.hashicorp.com/consul/advanced/day-1-operations/deployment-guide#configure-systemd
[monitoring]: https://learn.hashicorp.com/consul/advanced/day-1-operations/monitoring [monitoring]: https://learn.hashicorp.com/consul/advanced/day-1-operations/monitoring
[bind]: /docs/agent/options#_bind [bind]: /docs/agent/config/cli-flags#_bind
[jq]: https://stedolan.github.io/jq/ [jq]: https://stedolan.github.io/jq/
[go-sockaddr]: https://godoc.org/github.com/hashicorp/go-sockaddr/template [go-sockaddr]: https://godoc.org/github.com/hashicorp/go-sockaddr/template

View File

@ -62,8 +62,8 @@ messages.
This anonymous ID can be disabled. In fact, using the Checkpoint service is This anonymous ID can be disabled. In fact, using the Checkpoint service is
optional and can be disabled. optional and can be disabled.
See [`disable_anonymous_signature`](/docs/agent/options#disable_anonymous_signature) See [`disable_anonymous_signature`](/docs/agent/config/config-files#disable_anonymous_signature)
and [`disable_update_check`](/docs/agent/options#disable_update_check). and [`disable_update_check`](/docs/agent/config/config-files#disable_update_check).
### Q: Does Consul rely on UDP Broadcast or Multicast? ### Q: Does Consul rely on UDP Broadcast or Multicast?
@ -116,7 +116,7 @@ as well as race conditions between data updates and watch registrations.
### Q: What network ports does Consul use? ### Q: What network ports does Consul use?
The [Ports Used](/docs/agent/options#ports) section of the Configuration The [Ports Used](/docs/agent/config/config-files#ports) section of the Configuration
documentation lists all ports that Consul uses. documentation lists all ports that Consul uses.
### Q: Does Consul require certain user process resource limits? ### Q: Does Consul require certain user process resource limits?
@ -143,7 +143,7 @@ of any excessive resource utilization before arbitrarily increasing the limits.
The default recommended limit on a key's value size is 512KB. This is strictly The default recommended limit on a key's value size is 512KB. This is strictly
enforced and an HTTP 413 status will be returned to any client that attempts to enforced and an HTTP 413 status will be returned to any client that attempts to
store more than that limit in a value. The limit can be increased by using the store more than that limit in a value. The limit can be increased by using the
[`kv_max_value_size`](/docs/agent/options#kv_max_value_size) configuration option. [`kv_max_value_size`](/docs/agent/config/config-files#kv_max_value_size) configuration option.
It should be noted that the Consul key/value store is not designed to be used as It should be noted that the Consul key/value store is not designed to be used as
a general purpose database. See a general purpose database. See

View File

@ -74,7 +74,7 @@ this snapshot somewhere safe. More documentation on snapshot usage is available
- [consul.io/commands/snapshot](/commands/snapshot) - [consul.io/commands/snapshot](/commands/snapshot)
- <https://learn.hashicorp.com/tutorials/consul/backup-and-restore> - <https://learn.hashicorp.com/tutorials/consul/backup-and-restore>
**2.** Temporarily modify your Consul configuration so that its [log_level](/docs/agent/options#_log_level) **2.** Temporarily modify your Consul configuration so that its [log_level](/docs/agent/config/cli-flags#_log_level)
is set to `debug`. After doing this, issue the following command on your servers to is set to `debug`. After doing this, issue the following command on your servers to
reload the configuration: reload the configuration:
@ -183,7 +183,7 @@ then the following options for further assistance are available:
When contacting Hashicorp Support, please include the following information in your ticket: When contacting Hashicorp Support, please include the following information in your ticket:
- Consul version you were upgrading FROM and TO. - Consul version you were upgrading FROM and TO.
- [Debug level logs](/docs/agent/options#_log_level) from all servers in the cluster - [Debug level logs](/docs/agent/config/cli-flags#_log_level) from all servers in the cluster
that you are having trouble with. These should include logs from prior to the upgrade attempt that you are having trouble with. These should include logs from prior to the upgrade attempt
up through the current time. If your logs were not set at debug level prior to the up through the current time. If your logs were not set at debug level prior to the
upgrade, please include those logs as well. Also, update your config to use debug logs, upgrade, please include those logs as well. Also, update your config to use debug logs,

View File

@ -20,7 +20,7 @@ Here is some documentation that may prove useful for reference during this upgra
- [ACL System in Legacy Mode](/docs/security/acl/acl-legacy) - You can find - [ACL System in Legacy Mode](/docs/security/acl/acl-legacy) - You can find
information about legacy configuration options and differences between modes here. information about legacy configuration options and differences between modes here.
- [Configuration](/docs/agent/options) - You can find more details - [Configuration](https://www.consul.io/docs/agent/config) - You can find more details
around legacy ACL and new ACL configuration options here. Legacy ACL config options around legacy ACL and new ACL configuration options here. Legacy ACL config options
will be listed as deprecates as of 1.4.0. will be listed as deprecates as of 1.4.0.
@ -51,7 +51,7 @@ Looking through these changes prior to upgrading is highly recommended.
Two very notable items are: Two very notable items are:
- 1.6.2 introduced more strict JSON decoding. Invalid JSON that was previously ignored might result in errors now (e.g., `Connect: null` in service definitions). See [[GH#6680](https://github.com/hashicorp/consul/pull/6680)]. - 1.6.2 introduced more strict JSON decoding. Invalid JSON that was previously ignored might result in errors now (e.g., `Connect: null` in service definitions). See [[GH#6680](https://github.com/hashicorp/consul/pull/6680)].
- 1.6.3 introduced the [http_max_conns_per_client](/docs/agent/options#http_max_conns_per_client) limit. This defaults to 200. Prior to this, connections per client were unbounded. [[GH#7159](https://github.com/hashicorp/consul/issues/7159)] - 1.6.3 introduced the [http_max_conns_per_client](/docs/agent/config/config-files#http_max_conns_per_client) limit. This defaults to 200. Prior to this, connections per client were unbounded. [[GH#7159](https://github.com/hashicorp/consul/issues/7159)]
## Procedure ## Procedure
@ -202,8 +202,8 @@ update those now to avoid issues when moving to newer versions.
These are the changes you will need to make: These are the changes you will need to make:
- `acl_datacenter` is now named `primary_datacenter` (review our [docs](/docs/agent/options#primary_datacenter) for more info) - `acl_datacenter` is now named `primary_datacenter` (review our [docs](/docs/agent/config/config-files#primary_datacenter) for more info)
- `acl_default_policy`, `acl_down_policy`, `acl_ttl`, `acl_*_token` and `enable_acl_replication` options are now specified like this (review our [docs](/docs/agent/options#acl) for more info): - `acl_default_policy`, `acl_down_policy`, `acl_ttl`, `acl_*_token` and `enable_acl_replication` options are now specified like this (review our [docs](/docs/agent/config/config-files#acl) for more info):
```hcl ```hcl
acl { acl {
enabled = true/false enabled = true/false

View File

@ -42,7 +42,7 @@ Due to this rename the following endpoint is also deprecated:
These config keys are now deprecated: These config keys are now deprecated:
- `audit.sink[].name` - `audit.sink[].name`
- [`dns_config.dns_prefer_namespace`](/docs/agent/options#dns_prefer_namespace) - [`dns_config.dns_prefer_namespace`](/docs/agent/config/config-files#dns_prefer_namespace)
### Deprecated CLI Subcommands ### Deprecated CLI Subcommands
@ -107,8 +107,8 @@ have a license loaded from a configuration file or from their environment the sa
agents must have the license specified. Both agents can still perform automatic retrieval of their agents must have the license specified. Both agents can still perform automatic retrieval of their
license but with a few extra stipulations. First, license auto-retrieval now requires that ACLs license but with a few extra stipulations. First, license auto-retrieval now requires that ACLs
are on and that the client or snapshot agent is configured with a valid ACL token. Secondly, client are on and that the client or snapshot agent is configured with a valid ACL token. Secondly, client
agents require that either the [`start_join`](/docs/agent/options#start_join) or agents require that either the [`start_join`](/docs/agent/config/config-files#start_join) or
[`retry_join`](/docs/agent/options#retry_join) configurations are set and that they resolve to server [`retry_join`](/docs/agent/config/config-files#retry_join) configurations are set and that they resolve to server
agents. If those stipulations are not met, attempting to start the client or snapshot agent will agents. If those stipulations are not met, attempting to start the client or snapshot agent will
result in it immediately shutting down. result in it immediately shutting down.
@ -202,7 +202,7 @@ to Consul 1.9.0.
### Changes to Configuration Defaults ### Changes to Configuration Defaults
The [`enable_central_service_config`](/docs/agent/options#enable_central_service_config) The [`enable_central_service_config`](/docs/agent/config/config-files#enable_central_service_config)
configuration now defaults to `true`. configuration now defaults to `true`.
### Changes to Intentions ### Changes to Intentions
@ -271,7 +271,7 @@ behavior:
#### Removal of Deprecated Features #### Removal of Deprecated Features
The [`acl_enforce_version_8`](/docs/agent/options#acl_enforce_version_8) The [`acl_enforce_version_8`](/docs/agent/config/config-files#acl_enforce_version_8)
configuration has been removed (with version 8 ACL support by being on by configuration has been removed (with version 8 ACL support by being on by
default). default).
@ -314,7 +314,7 @@ to more precisely capture the view of _active_ blocking queries.
### Vault: default `http_max_conns_per_client` too low to run Vault properly ### Vault: default `http_max_conns_per_client` too low to run Vault properly
Consul 1.7.0 introduced [limiting of connections per client](/docs/agent/options#http_max_conns_per_client). The default value Consul 1.7.0 introduced [limiting of connections per client](/docs/agent/config/config-files#http_max_conns_per_client). The default value
was 100, but Vault could use up to 128, which caused problems. If you want to use Vault with Consul 1.7.0, you should change the value to 200. was 100, but Vault could use up to 128, which caused problems. If you want to use Vault with Consul 1.7.0, you should change the value to 200.
Starting with Consul 1.7.1 this is the new default. Starting with Consul 1.7.1 this is the new default.
@ -322,7 +322,7 @@ Starting with Consul 1.7.1 this is the new default.
### Vault: default `http_max_conns_per_client` too low to run Vault properly ### Vault: default `http_max_conns_per_client` too low to run Vault properly
Consul 1.6.3 introduced [limiting of connections per client](/docs/agent/options#http_max_conns_per_client). The default value Consul 1.6.3 introduced [limiting of connections per client](/docs/agent/config/config-files#http_max_conns_per_client). The default value
was 100, but Vault could use up to 128, which caused problems. If you want to use Vault with Consul 1.6.3 through 1.7.0, you should change the value to 200. was 100, but Vault could use up to 128, which caused problems. If you want to use Vault with Consul 1.6.3 through 1.7.0, you should change the value to 200.
Starting with Consul 1.7.1 this is the new default. Starting with Consul 1.7.1 this is the new default.
@ -361,7 +361,7 @@ datacenter". All configuration is backwards compatible and shouldn't need to
change prior to upgrade although it's strongly recommended to migrate ACL change prior to upgrade although it's strongly recommended to migrate ACL
configuration to the new syntax soon after upgrade. This includes moving to configuration to the new syntax soon after upgrade. This includes moving to
`primary_datacenter` rather than `acl_datacenter` and `acl_*` to the new [ACL `primary_datacenter` rather than `acl_datacenter` and `acl_*` to the new [ACL
block](/docs/agent/options#acl). block](/docs/agent/config/config-files#acl).
Datacenters can be upgraded in any order although secondaries will remain in Datacenters can be upgraded in any order although secondaries will remain in
[Legacy ACL mode](#legacy-acl-mode) until the primary datacenter is fully [Legacy ACL mode](#legacy-acl-mode) until the primary datacenter is fully
@ -488,11 +488,11 @@ The following previously deprecated fields and config options have been removed:
Consul 1.0.1 (and earlier versions of Consul) checked for raft snapshots every Consul 1.0.1 (and earlier versions of Consul) checked for raft snapshots every
5 seconds, and created new snapshots for every 8192 writes. These defaults cause 5 seconds, and created new snapshots for every 8192 writes. These defaults cause
constant disk IO in large busy clusters. Consul 1.1.0 increases these to larger values, constant disk IO in large busy clusters. Consul 1.1.0 increases these to larger values,
and makes them tunable via the [raft_snapshot_interval](/docs/agent/options#_raft_snapshot_interval) and and makes them tunable via the [raft_snapshot_interval](/docs/agent/config/config-files#_raft_snapshot_interval) and
[raft_snapshot_threshold](/docs/agent/options#_raft_snapshot_threshold) parameters. We recommend [raft_snapshot_threshold](/docs/agent/config/config-files#_raft_snapshot_threshold) parameters. We recommend
keeping the new defaults. However, operators can go back to the old defaults by changing their keeping the new defaults. However, operators can go back to the old defaults by changing their
config if they prefer more frequent snapshots. See the documentation for [raft_snapshot_interval](/docs/agent/options#_raft_snapshot_interval) config if they prefer more frequent snapshots. See the documentation for [raft_snapshot_interval](/docs/agent/config/config-files#_raft_snapshot_interval)
and [raft_snapshot_threshold](/docs/agent/options#_raft_snapshot_threshold) to understand the trade-offs and [raft_snapshot_threshold](/docs/agent/config/config-files#_raft_snapshot_threshold) to understand the trade-offs
when tuning these. when tuning these.
## Consul 1.0.7 ## Consul 1.0.7
@ -520,7 +520,7 @@ before proceeding.
#### Carefully Check and Remove Stale Servers During Rolling Upgrades #### Carefully Check and Remove Stale Servers During Rolling Upgrades
Consul 1.0 (and earlier versions of Consul when running with [Raft protocol Consul 1.0 (and earlier versions of Consul when running with [Raft protocol
3](/docs/agent/options#_raft_protocol) had an issue where performing 3](/docs/agent/config/config-files#_raft_protocol) had an issue where performing
rolling updates of Consul servers could result in an outage from old servers rolling updates of Consul servers could result in an outage from old servers
remaining in the cluster. remaining in the cluster.
[Autopilot](https://learn.hashicorp.com/tutorials/consul/autopilot-datacenter-operations) [Autopilot](https://learn.hashicorp.com/tutorials/consul/autopilot-datacenter-operations)
@ -541,7 +541,7 @@ Please be sure to read over all the details here before upgrading.
#### Raft Protocol Now Defaults to 3 #### Raft Protocol Now Defaults to 3
The [`-raft-protocol`](/docs/agent/options#_raft_protocol) default has The [`-raft-protocol`](/docs/agent/config/cli-flags#_raft_protocol) default has
been changed from 2 to 3, enabling all been changed from 2 to 3, enabling all
[Autopilot](https://learn.hashicorp.com/tutorials/consul/autopilot-datacenter-operations) [Autopilot](https://learn.hashicorp.com/tutorials/consul/autopilot-datacenter-operations)
features by default. features by default.
@ -570,7 +570,7 @@ servers, and then slowly stand down each of the older servers in a similar
fashion. fashion.
When using Raft protocol version 3, servers are identified by their When using Raft protocol version 3, servers are identified by their
[`-node-id`](/docs/agent/options#_node_id) instead of their IP address [`-node-id`](/docs/agent/config/cli-flags#_node_id) instead of their IP address
when Consul makes changes to its internal Raft quorum configuration. This means when Consul makes changes to its internal Raft quorum configuration. This means
that once a cluster has been upgraded with servers all running Raft protocol that once a cluster has been upgraded with servers all running Raft protocol
version 3, it will no longer allow servers running any older Raft protocol version 3, it will no longer allow servers running any older Raft protocol
@ -585,7 +585,7 @@ to map the server to its node ID in the Raft quorum configuration.
As part of supporting the [HCL](https://github.com/hashicorp/hcl#syntax) format As part of supporting the [HCL](https://github.com/hashicorp/hcl#syntax) format
for Consul's config files, an `.hcl` or `.json` extension is required for all for Consul's config files, an `.hcl` or `.json` extension is required for all
config files loaded by Consul, even when using the config files loaded by Consul, even when using the
[`-config-file`](/docs/agent/options#_config_file) argument to specify a [`-config-file`](/docs/agent/config/cli-flags#_config_file) argument to specify a
file directly. file directly.
#### Service Definition Parameter Case changed #### Service Definition Parameter Case changed
@ -602,40 +602,40 @@ upgrading. Here's the complete list of removed options and their equivalents:
| Removed Option | Equivalent | | Removed Option | Equivalent |
| ------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `-dc` | [`-datacenter`](/docs/agent/options#_datacenter) | | `-dc` | [`-datacenter`](/docs/agent/config/cli-flags#_datacenter) |
| `-retry-join-azure-tag-name` | [`-retry-join`](/docs/agent/options#_retry_join) | | `-retry-join-azure-tag-name` | [`-retry-join`](/docs/agent/config/cli-flags#_retry_join) |
| `-retry-join-azure-tag-value` | [`-retry-join`](/docs/agent/options#_retry_join) | | `-retry-join-azure-tag-value` | [`-retry-join`](/docs/agent/config/cli-flags#_retry_join) |
| `-retry-join-ec2-region` | [`-retry-join`](/docs/agent/options#_retry_join) | | `-retry-join-ec2-region` | [`-retry-join`](/docs/agent/config/cli-flags#_retry_join) |
| `-retry-join-ec2-tag-key` | [`-retry-join`](/docs/agent/options#_retry_join) | | `-retry-join-ec2-tag-key` | [`-retry-join`](/docs/agent/config/cli-flags#_retry_join) |
| `-retry-join-ec2-tag-value` | [`-retry-join`](/docs/agent/options#_retry_join) | | `-retry-join-ec2-tag-value` | [`-retry-join`](/docs/agent/config/cli-flags#_retry_join) |
| `-retry-join-gce-credentials-file` | [`-retry-join`](/docs/agent/options#_retry_join) | | `-retry-join-gce-credentials-file` | [`-retry-join`](/docs/agent/config/cli-flags#_retry_join) |
| `-retry-join-gce-project-name` | [`-retry-join`](/docs/agent/options#_retry_join) | | `-retry-join-gce-project-name` | [`-retry-join`](/docs/agent/config/cli-flags#_retry_join) |
| `-retry-join-gce-tag-name` | [`-retry-join`](/docs/agent/options#_retry_join) | | `-retry-join-gce-tag-name` | [`-retry-join`](/docs/agent/config/cli-flags#_retry_join) |
| `-retry-join-gce-zone-pattern` | [`-retry-join`](/docs/agent/options#_retry_join) | | `-retry-join-gce-zone-pattern` | [`-retry-join`](/docs/agent/config/cli-flags#_retry_join) |
| `addresses.rpc` | None, the RPC server for CLI commands is no longer supported. | | `addresses.rpc` | None, the RPC server for CLI commands is no longer supported. |
| `advertise_addrs` | [`ports`](/docs/agent/options#ports) with [`advertise_addr`](/docs/agent/options#advertise_addr) and/or [`advertise_addr_wan`](/docs/agent/options#advertise_addr_wan) | | `advertise_addrs` | [`ports`](/docs/agent/config/config-files#ports) with [`advertise_addr`](/docs/agent/config/config-files#advertise_addr) and/or [`advertise_addr_wan`](/docs/agent/config/config-files#advertise_addr_wan) |
| `dogstatsd_addr` | [`telemetry.dogstatsd_addr`](/docs/agent/options#telemetry-dogstatsd_addr) | | `dogstatsd_addr` | [`telemetry.dogstatsd_addr`](/docs/agent/config/config-files#telemetry-dogstatsd_addr) |
| `dogstatsd_tags` | [`telemetry.dogstatsd_tags`](/docs/agent/options#telemetry-dogstatsd_tags) | | `dogstatsd_tags` | [`telemetry.dogstatsd_tags`](/docs/agent/config/config-files#telemetry-dogstatsd_tags) |
| `http_api_response_headers` | [`http_config.response_headers`](/docs/agent/options#response_headers) | | `http_api_response_headers` | [`http_config.response_headers`](/docs/agent/config/config-files#response_headers) |
| `ports.rpc` | None, the RPC server for CLI commands is no longer supported. | | `ports.rpc` | None, the RPC server for CLI commands is no longer supported. |
| `recursor` | [`recursors`](https://github.com/hashicorp/consul/blob/main/website/pages/docs/agent/options.mdx#recursors) | | `recursor` | [`recursors`](https://github.com/hashicorp/consul/blob/main/website/pages/docs/agent/config/config-files.mdx#recursors) |
| `retry_join_azure` | [`-retry-join`](/docs/agent/options#_retry_join) | | `retry_join_azure` | [`-retry-join`](/docs/agent/config/cli-flags#_retry_join) |
| `retry_join_ec2` | [`-retry-join`](/docs/agent/options#_retry_join) | | `retry_join_ec2` | [`-retry-join`](/docs/agent/config/cli-flags#_retry_join) |
| `retry_join_gce` | [`-retry-join`](/docs/agent/options#_retry_join) | | `retry_join_gce` | [`-retry-join`](/docs/agent/config/cli-flags#_retry_join) |
| `statsd_addr` | [`telemetry.statsd_address`](https://github.com/hashicorp/consul/blob/main/website/pages/docs/agent/options.mdx#telemetry-statsd_address) | | `statsd_addr` | [`telemetry.statsd_address`](https://github.com/hashicorp/consul/blob/main/website/pages/docs/agent/config/config-files.mdx#telemetry-statsd_address) |
| `statsite_addr` | [`telemetry.statsite_address`](https://github.com/hashicorp/consul/blob/main/website/pages/docs/agent/options.mdx#telemetry-statsite_address) | | `statsite_addr` | [`telemetry.statsite_address`](https://github.com/hashicorp/consul/blob/main/website/pages/docs/agent/config/config-files.mdx#telemetry-statsite_address) |
| `statsite_prefix` | [`telemetry.metrics_prefix`](/docs/agent/options#telemetry-metrics_prefix) | | `statsite_prefix` | [`telemetry.metrics_prefix`](/docs/agent/config/config-files#telemetry-metrics_prefix) |
| `telemetry.statsite_prefix` | [`telemetry.metrics_prefix`](/docs/agent/options#telemetry-metrics_prefix) | | `telemetry.statsite_prefix` | [`telemetry.metrics_prefix`](/docs/agent/config/config-files#telemetry-metrics_prefix) |
| (service definitions) `serviceid` | [`service_id`](/docs/discovery/services) | | (service definitions) `serviceid` | [`service_id`](/docs/agent/services) |
| (service definitions) `dockercontainerid` | [`docker_container_id`](/docs/discovery/services) | | (service definitions) `dockercontainerid` | [`docker_container_id`](/docs/agent/services) |
| (service definitions) `tlsskipverify` | [`tls_skip_verify`](/docs/discovery/services) | | (service definitions) `tlsskipverify` | [`tls_skip_verify`](/docs/agent/services) |
| (service definitions) `deregistercriticalserviceafter` | [`deregister_critical_service_after`](/docs/discovery/services) | | (service definitions) `deregistercriticalserviceafter` | [`deregister_critical_service_after`](/docs/agent/services) |
#### `statsite_prefix` Renamed to `metrics_prefix` #### `statsite_prefix` Renamed to `metrics_prefix`
Since the `statsite_prefix` configuration option applied to all telemetry Since the `statsite_prefix` configuration option applied to all telemetry
providers, `statsite_prefix` was renamed to providers, `statsite_prefix` was renamed to
[`metrics_prefix`](/docs/agent/options#telemetry-metrics_prefix). [`metrics_prefix`](/docs/agent/config/config-files#telemetry-metrics_prefix).
Configuration files will need to be updated when upgrading to this version of Configuration files will need to be updated when upgrading to this version of
Consul. Consul.
@ -647,8 +647,8 @@ wrongly stated that you could configure both host and port.
#### Escaping Behavior Changed for go-discover Configs #### Escaping Behavior Changed for go-discover Configs
The format for [`-retry-join`](/docs/agent/options#retry-join) and The format for [`-retry-join`](/docs/agent/config/cli-flags#retry-join) and
[`-retry-join-wan`](/docs/agent/options#retry-join-wan) values that use [`-retry-join-wan`](/docs/agent/config/cli-flags#retry-join-wan) values that use
[go-discover](https://github.com/hashicorp/go-discover) cloud auto joining has [go-discover](https://github.com/hashicorp/go-discover) cloud auto joining has
changed. Values in `key=val` sequences must no longer be URL encoded and can be changed. Values in `key=val` sequences must no longer be URL encoded and can be
provided as literals as long as they do not contain spaces, backslashes `\` or provided as literals as long as they do not contain spaces, backslashes `\` or
@ -766,7 +766,7 @@ invalid health checks would get skipped.
#### Script Checks Are Now Opt-In #### Script Checks Are Now Opt-In
A new [`enable_script_checks`](/docs/agent/options#_enable_script_checks) A new [`enable_script_checks`](/docs/agent/config/cli-flags#_enable_script_checks)
configuration option was added, and defaults to `false`, meaning that in order configuration option was added, and defaults to `false`, meaning that in order
to allow an agent to run health checks that execute scripts, this will need to to allow an agent to run health checks that execute scripts, this will need to
be configured and set to `true`. This provides a safer out-of-the-box be configured and set to `true`. This provides a safer out-of-the-box
@ -788,10 +788,10 @@ for more information.
Consul releases will no longer include a `web_ui.zip` file with the compiled Consul releases will no longer include a `web_ui.zip` file with the compiled
web assets. These have been built in to the Consul binary since the 0.7.x web assets. These have been built in to the Consul binary since the 0.7.x
series and can be enabled with the [`-ui`](/docs/agent/options#_ui) series and can be enabled with the [`-ui`](/docs/agent/config/cli-flags#_ui)
configuration option. These built-in web assets have always been identical to configuration option. These built-in web assets have always been identical to
the contents of the `web_ui.zip` file for each release. The the contents of the `web_ui.zip` file for each release. The
[`-ui-dir`](/docs/agent/options#_ui_dir) option is still available for [`-ui-dir`](/docs/agent/config/cli-flags#_ui_dir) option is still available for
hosting customized versions of the web assets, but the vast majority of Consul hosting customized versions of the web assets, but the vast majority of Consul
users can just use the built in web assets. users can just use the built in web assets.
@ -823,12 +823,12 @@ to the following commands:
#### Version 8 ACLs Are Now Opt-Out #### Version 8 ACLs Are Now Opt-Out
The [`acl_enforce_version_8`](/docs/agent/options#acl_enforce_version_8) The [`acl_enforce_version_8`](/docs/agent/config/config-files#acl_enforce_version_8)
configuration now defaults to `true` to enable full version 8 ACL support by configuration now defaults to `true` to enable full version 8 ACL support by
default. If you are upgrading an existing cluster with ACLs enabled, you will default. If you are upgrading an existing cluster with ACLs enabled, you will
need to set this to `false` during the upgrade on **both Consul agents and need to set this to `false` during the upgrade on **both Consul agents and
Consul servers**. Version 8 ACLs were also changed so that Consul servers**. Version 8 ACLs were also changed so that
[`acl_datacenter`](/docs/agent/options#acl_datacenter) must be set on [`acl_datacenter`](/docs/agent/config/config-files#acl_datacenter) must be set on
agents in order to enable the agent-side enforcement of ACLs. This makes for a agents in order to enable the agent-side enforcement of ACLs. This makes for a
smoother experience in clusters where ACLs aren't enabled at all, but where the smoother experience in clusters where ACLs aren't enabled at all, but where the
agents would have to wait to contact a Consul server before learning that. agents would have to wait to contact a Consul server before learning that.
@ -836,14 +836,14 @@ agents would have to wait to contact a Consul server before learning that.
#### Remote Exec Is Now Opt-In #### Remote Exec Is Now Opt-In
The default for The default for
[`disable_remote_exec`](/docs/agent/options#disable_remote_exec) was [`disable_remote_exec`](/docs/agent/config/config-files#disable_remote_exec) was
changed to "true", so now operators need to opt-in to having agents support changed to "true", so now operators need to opt-in to having agents support
running commands remotely via [`consul exec`](/commands/exec). running commands remotely via [`consul exec`](/commands/exec).
#### Raft Protocol Version Compatibility #### Raft Protocol Version Compatibility
When upgrading to Consul 0.8.0 from a version lower than 0.7.0, users will need When upgrading to Consul 0.8.0 from a version lower than 0.7.0, users will need
to set the [`-raft-protocol`](/docs/agent/options#_raft_protocol) option to set the [`-raft-protocol`](/docs/agent/config/cli-flags#_raft_protocol) option
to 1 in order to maintain backwards compatibility with the old servers during to 1 in order to maintain backwards compatibility with the old servers during
the upgrade. After the servers have been migrated to version 0.8.0, the upgrade. After the servers have been migrated to version 0.8.0,
`-raft-protocol` can be moved up to 2 and the servers restarted to match the `-raft-protocol` can be moved up to 2 and the servers restarted to match the
@ -878,7 +878,7 @@ process to reap child processes.
#### DNS Resiliency Defaults #### DNS Resiliency Defaults
The default for [`max_stale`](/docs/agent/options#max_stale) has been The default for [`max_stale`](/docs/agent/config/config-files#max_stale) has been
increased from 5 seconds to a near-indefinite threshold (10 years) to allow DNS increased from 5 seconds to a near-indefinite threshold (10 years) to allow DNS
queries to continue to be served in the event of a long outage with no leader. queries to continue to be served in the event of a long outage with no leader.
A new telemetry counter was added at `consul.dns.stale_queries` to track when A new telemetry counter was added at `consul.dns.stale_queries` to track when
@ -892,7 +892,7 @@ to be aware of during an upgrade are categorized below.
#### Performance Timing Defaults and Tuning #### Performance Timing Defaults and Tuning
Consul 0.7 now defaults the DNS configuration to allow for stale queries by Consul 0.7 now defaults the DNS configuration to allow for stale queries by
defaulting [`allow_stale`](/docs/agent/options#allow_stale) to true for defaulting [`allow_stale`](/docs/agent/config/config-files#allow_stale) to true for
better utilization of available servers. If you want to retain the previous better utilization of available servers. If you want to retain the previous
behavior, set the following configuration: behavior, set the following configuration:
@ -905,7 +905,7 @@ behavior, set the following configuration:
``` ```
Consul also 0.7 introduced support for tuning Raft performance using a new Consul also 0.7 introduced support for tuning Raft performance using a new
[performance configuration block](/docs/agent/options#performance). Also, [performance configuration block](/docs/agent/config/config-files#performance). Also,
the default Raft timing is set to a lower-performance mode suitable for the default Raft timing is set to a lower-performance mode suitable for
[minimal Consul servers](/docs/install/performance#minimum). [minimal Consul servers](/docs/install/performance#minimum).
@ -925,8 +925,8 @@ See the [Server Performance](/docs/install/performance) guide for more details.
#### Leave-Related Configuration Defaults #### Leave-Related Configuration Defaults
The default behavior of [`leave_on_terminate`](/docs/agent/options#leave_on_terminate) The default behavior of [`leave_on_terminate`](/docs/agent/config/config-files#leave_on_terminate)
and [`skip_leave_on_interrupt`](/docs/agent/options#skip_leave_on_interrupt) and [`skip_leave_on_interrupt`](/docs/agent/config/config-files#skip_leave_on_interrupt)
are now dependent on whether or not the agent is acting as a server or client: are now dependent on whether or not the agent is acting as a server or client:
- For servers, `leave_on_terminate` defaults to "false" and `skip_leave_on_interrupt` - For servers, `leave_on_terminate` defaults to "false" and `skip_leave_on_interrupt`
@ -965,7 +965,7 @@ using this feature.
#### WAN Address Translation in HTTP Endpoints #### WAN Address Translation in HTTP Endpoints
Consul version 0.7 added support for translating WAN addresses in certain Consul version 0.7 added support for translating WAN addresses in certain
[HTTP endpoints](/docs/agent/options#translate_wan_addrs). The servers [HTTP endpoints](/docs/agent/config/config-files#translate_wan_addrs). The servers
and the agents need to be running version 0.7 or later in order to use this and the agents need to be running version 0.7 or later in order to use this
feature. feature.
@ -1047,7 +1047,7 @@ which require it:
} }
When the DNS interface is queried, the agent's When the DNS interface is queried, the agent's
[`acl_token`](/docs/agent/options#acl_token) is used, so be sure [`acl_token`](/docs/agent/config/config-files#acl_token) is used, so be sure
that token has sufficient privileges to return the DNS records you that token has sufficient privileges to return the DNS records you
expect to retrieve from it. expect to retrieve from it.

View File

@ -20,7 +20,7 @@
used instead. The scheme can also be set to HTTPS by setting the environment used instead. The scheme can also be set to HTTPS by setting the environment
variable `CONSUL_HTTP_SSL=true`. This may be a unix domain socket using variable `CONSUL_HTTP_SSL=true`. This may be a unix domain socket using
`unix:///path/to/socket` if the [agent is configured to `unix:///path/to/socket` if the [agent is configured to
listen](/docs/agent/options#addresses) that way. listen](/docs/agent/config/config-files#addresses) that way.
- `-tls-server-name=<value>` - The server name to use as the SNI host when - `-tls-server-name=<value>` - The server name to use as the SNI host when
connecting via TLS. This can also be specified via the `CONSUL_TLS_SERVER_NAME` connecting via TLS. This can also be specified via the `CONSUL_TLS_SERVER_NAME`

View File

@ -848,7 +848,20 @@
}, },
{ {
"title": "Configuration", "title": "Configuration",
"path": "agent/options" "routes": [
{
"title": "General",
"path": "agent/config"
},
{
"title": "CLI Reference",
"path": "agent/config/cli-flags"
},
{
"title": "Configuration Reference",
"path": "agent/config/config-files"
}
]
}, },
{ {
"title": "Configuration Entries", "title": "Configuration Entries",

View File

@ -1239,4 +1239,9 @@ module.exports = [
destination: '/docs/k8s/operations/tls-on-existing-cluster', destination: '/docs/k8s/operations/tls-on-existing-cluster',
permanent: true, permanent: true,
}, },
{
source: '/docs/agent/options',
destination: '/docs/agent/config',
permanent: true,
},
] ]