Update licensing docs for 1.10 licensing

This commit is contained in:
Matt Keeler 2021-06-02 14:34:46 -04:00
parent 6b7ca99a69
commit f3595f5394
2 changed files with 49 additions and 17 deletions

View File

@ -1636,6 +1636,8 @@ bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr
- `leave_on_terminate` If enabled, when the agent receives a TERM signal, it will send a `Leave` message to the rest of the cluster and gracefully leave. The default behavior for this feature varies based on whether or not the agent is running as a client or a server (prior to Consul 0.7 the default value was unconditionally set to `false`). On agents in client-mode, this defaults to `true` and for agents in server-mode, this defaults to `false`.
- `license_path` <EnterpriseAlert inline /> This specifies the path to a file that contains the Consul Enterprise license. See the [licensing documentation](/docs/enterprise#licensing) for more information about Consul Enterprise license management.
- `limits` Available in Consul 0.9.3 and later, this is a nested
object that configures limits that are enforced by the agent. Prior to Consul 1.5.2,
this only applied to agents in client mode, not Consul servers. The following parameters

View File

@ -28,13 +28,18 @@ Enterprise](https://www.hashicorp.com/consul).
## Licensing
Licensing capabilities were added to Consul Enterprise v1.1.0. The license is set
once for a datacenter and will automatically propagate to all nodes within the
datacenter over a period of time scaled between 1 and 20 minutes depending on the
number of nodes in the datacenter. There are two methods for licensing Consul
enterprise.
All Consul Enterprise agents must be licensed when they are started. Where that license comes from will depend
on which binary is in use, whether the agent is a server, client or snapshot agent and whether ACLs have been
enabled for the cluster.
### Included in the Enterprise Package
-> ** Consul Enterprise v1.10.0 removed temporary licensing.** In previous versions Consul Enterprise
agents could start without a license and then have a license applied to them later on via the CLI
or API. That functionality has been removed and replaced with the ability to load licenses from the
agent's configuration or environment. Also prior to v1.10.0 server agents would automatically propagate
the license between themselves. This no longer occurs and the license must be present on each server
when they are started.
### Binaries with Built In Licenses
If you are downloading Consul from Amazon S3, then the license is included
in the binary and you do not need to take further action. This is the
@ -44,16 +49,41 @@ In the S3 bucket you will find three Enterprise zip packages. The packages with
`+prem` in the name, are the binaries that include the license. The package
with `+ent` in the name does not include the license.
### Applied after Bootstrapping
When using these binaries no further action is necessary to configure the license.
If you are downloading the enterprise binary from the [releases.hashicorp.com](https://releases.hashicorp.com/consul/) or the `+ent` package from Amazon S3, you will need to apply
the license to the cluster, after completing the bootstrapping process.
You can set the license on any agent within the cluster and it will be
forwarded to the leading server via the RPC forwarding functionality.
Below are your two options for setting the license file.
### Binaries Without Built In Licenses
You can set the license via the
[API](/api/operator/license) or the [CLI](/commands/license). When
you first start Consul, a 30-minute temporary license is available to allow you
time to license the datacenter. You should set the license within ten minutes of
starting the first Consul process to allow time for the license to propagate.
For binaries that do not include built in licenses a license must be available at the time the agent starts.
For server agents this means that they must either have the [`license_path`](/docs/agent/opts#license_path)
configuration set or have a license configured in the servers environment with the `CONSUL_LICENSE` or
`CONSUL_LICENSE_PATH` environment variables. Both the configuration item and the `CONSUL_LICENSE_PATH`
environment variable point to a file containing the license whereas the `CONSUL_LICENSE` environment
variable should contain the license as the value. If multiple of these are set the order of precedence is:
1. `CONSUL_LICENSE` environment variable
2. `CONSUL_LICENSE_PATH` environment variable
3. `license_path` configuration item.
Both client agents and the snapshot agent may also be licensed in the very same manner. However to prevent
the need to configure the license on many client agents and snapshot agents those agents have the capability
to retrieve the license automatically under specific circumstances.
#### Client Agent License Retrieval
When a client agent starts without a license in its configuration or environment, it will try to retrieve the
license from the servers via RPCs. That RPC always requires a valid non-anonymous ACL token to authorize the
request but the token doesn't need any particular permissions. As the license is required before the client
actually joins the cluster, where to make those RPC requests to is inferred from the [`start_join`](/docs/agent/opts#start_join)
or [`retry_join`](/docs/agent/opts#retry_join) configurations. If those are both unset or no
[`agent` token](/docs/agent/opts#acl_tokens_agent) is set then the client agent will immediately shut itself down.
If all preliminary checks pass the client agent will attempt to reach out to any server on its RPC port to
request the license. These requests will be retried for up to 5 minutes and if it is unable to retrieve a
license within that time frame it will shut itself down.
#### Snapshot Agent License Retrieval
The snapshot agent has similar functionality to the client agent for automatically retrieving the license. However,
instead of requiring a server agent to talk to, the snapshot agent can request the license from the server or
client agent it would use for all other operations. It still requires an ACL token to authorize the request. Also
like client agents, the snapshot agent will shut itself down after being unable to retrieve the license for 5
minutes.