mirror of https://github.com/status-im/consul.git
Update licensing docs for 1.10 licensing
This commit is contained in:
parent
6b7ca99a69
commit
f3595f5394
|
@ -1636,6 +1636,8 @@ bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr
|
|||
|
||||
- `leave_on_terminate` If enabled, when the agent receives a TERM signal, it will send a `Leave` message to the rest of the cluster and gracefully leave. The default behavior for this feature varies based on whether or not the agent is running as a client or a server (prior to Consul 0.7 the default value was unconditionally set to `false`). On agents in client-mode, this defaults to `true` and for agents in server-mode, this defaults to `false`.
|
||||
|
||||
- `license_path` <EnterpriseAlert inline /> This specifies the path to a file that contains the Consul Enterprise license. See the [licensing documentation](/docs/enterprise#licensing) for more information about Consul Enterprise license management.
|
||||
|
||||
- `limits` Available in Consul 0.9.3 and later, this is a nested
|
||||
object that configures limits that are enforced by the agent. Prior to Consul 1.5.2,
|
||||
this only applied to agents in client mode, not Consul servers. The following parameters
|
||||
|
|
|
@ -28,13 +28,18 @@ Enterprise](https://www.hashicorp.com/consul).
|
|||
|
||||
## Licensing
|
||||
|
||||
Licensing capabilities were added to Consul Enterprise v1.1.0. The license is set
|
||||
once for a datacenter and will automatically propagate to all nodes within the
|
||||
datacenter over a period of time scaled between 1 and 20 minutes depending on the
|
||||
number of nodes in the datacenter. There are two methods for licensing Consul
|
||||
enterprise.
|
||||
All Consul Enterprise agents must be licensed when they are started. Where that license comes from will depend
|
||||
on which binary is in use, whether the agent is a server, client or snapshot agent and whether ACLs have been
|
||||
enabled for the cluster.
|
||||
|
||||
### Included in the Enterprise Package
|
||||
-> ** Consul Enterprise v1.10.0 removed temporary licensing.** In previous versions Consul Enterprise
|
||||
agents could start without a license and then have a license applied to them later on via the CLI
|
||||
or API. That functionality has been removed and replaced with the ability to load licenses from the
|
||||
agent's configuration or environment. Also prior to v1.10.0 server agents would automatically propagate
|
||||
the license between themselves. This no longer occurs and the license must be present on each server
|
||||
when they are started.
|
||||
|
||||
### Binaries with Built In Licenses
|
||||
|
||||
If you are downloading Consul from Amazon S3, then the license is included
|
||||
in the binary and you do not need to take further action. This is the
|
||||
|
@ -44,16 +49,41 @@ In the S3 bucket you will find three Enterprise zip packages. The packages with
|
|||
`+prem` in the name, are the binaries that include the license. The package
|
||||
with `+ent` in the name does not include the license.
|
||||
|
||||
### Applied after Bootstrapping
|
||||
When using these binaries no further action is necessary to configure the license.
|
||||
|
||||
If you are downloading the enterprise binary from the [releases.hashicorp.com](https://releases.hashicorp.com/consul/) or the `+ent` package from Amazon S3, you will need to apply
|
||||
the license to the cluster, after completing the bootstrapping process.
|
||||
You can set the license on any agent within the cluster and it will be
|
||||
forwarded to the leading server via the RPC forwarding functionality.
|
||||
Below are your two options for setting the license file.
|
||||
### Binaries Without Built In Licenses
|
||||
|
||||
You can set the license via the
|
||||
[API](/api/operator/license) or the [CLI](/commands/license). When
|
||||
you first start Consul, a 30-minute temporary license is available to allow you
|
||||
time to license the datacenter. You should set the license within ten minutes of
|
||||
starting the first Consul process to allow time for the license to propagate.
|
||||
For binaries that do not include built in licenses a license must be available at the time the agent starts.
|
||||
For server agents this means that they must either have the [`license_path`](/docs/agent/opts#license_path)
|
||||
configuration set or have a license configured in the servers environment with the `CONSUL_LICENSE` or
|
||||
`CONSUL_LICENSE_PATH` environment variables. Both the configuration item and the `CONSUL_LICENSE_PATH`
|
||||
environment variable point to a file containing the license whereas the `CONSUL_LICENSE` environment
|
||||
variable should contain the license as the value. If multiple of these are set the order of precedence is:
|
||||
|
||||
1. `CONSUL_LICENSE` environment variable
|
||||
2. `CONSUL_LICENSE_PATH` environment variable
|
||||
3. `license_path` configuration item.
|
||||
|
||||
Both client agents and the snapshot agent may also be licensed in the very same manner. However to prevent
|
||||
the need to configure the license on many client agents and snapshot agents those agents have the capability
|
||||
to retrieve the license automatically under specific circumstances.
|
||||
|
||||
#### Client Agent License Retrieval
|
||||
|
||||
When a client agent starts without a license in its configuration or environment, it will try to retrieve the
|
||||
license from the servers via RPCs. That RPC always requires a valid non-anonymous ACL token to authorize the
|
||||
request but the token doesn't need any particular permissions. As the license is required before the client
|
||||
actually joins the cluster, where to make those RPC requests to is inferred from the [`start_join`](/docs/agent/opts#start_join)
|
||||
or [`retry_join`](/docs/agent/opts#retry_join) configurations. If those are both unset or no
|
||||
[`agent` token](/docs/agent/opts#acl_tokens_agent) is set then the client agent will immediately shut itself down.
|
||||
If all preliminary checks pass the client agent will attempt to reach out to any server on its RPC port to
|
||||
request the license. These requests will be retried for up to 5 minutes and if it is unable to retrieve a
|
||||
license within that time frame it will shut itself down.
|
||||
|
||||
#### Snapshot Agent License Retrieval
|
||||
|
||||
The snapshot agent has similar functionality to the client agent for automatically retrieving the license. However,
|
||||
instead of requiring a server agent to talk to, the snapshot agent can request the license from the server or
|
||||
client agent it would use for all other operations. It still requires an ACL token to authorize the request. Also
|
||||
like client agents, the snapshot agent will shut itself down after being unable to retrieve the license for 5
|
||||
minutes.
|
Loading…
Reference in New Issue