consul/website/pages/docs/faq.mdx

122 lines
6.2 KiB
Plaintext
Raw Normal View History

2014-10-14 00:46:41 +00:00
---
2020-04-07 18:55:19 +00:00
layout: docs
page_title: Frequently Asked Questions
2020-04-07 23:56:08 +00:00
sidebar_title: 'FAQ'
2020-04-07 18:55:19 +00:00
sidebar_current: docs-faq
2014-10-14 00:46:41 +00:00
---
# Frequently Asked Questions
## Q: What is Checkpoint? / Does Consul call home?
Consul makes use of a HashiCorp service called [Checkpoint](http://checkpoint.hashicorp.com)
2014-10-20 06:26:38 +00:00
which is used to check for updates and critical security bulletins.
2015-03-05 22:56:41 +00:00
Only anonymous information, which cannot be used to identify the user or host, is
sent to Checkpoint . An anonymous ID is sent which helps de-duplicate warning messages.
2016-11-01 13:11:20 +00:00
This anonymous ID can be disabled. In fact, using the Checkpoint service is optional
and can be disabled.
See [`disable_anonymous_signature`](/docs/agent/options.html#disable_anonymous_signature)
and [`disable_update_check`](/docs/agent/options.html#disable_update_check).
2015-03-09 17:10:22 +00:00
## Q: Does Consul rely on UDP Broadcast or Multicast?
2016-08-08 16:44:27 +00:00
Consul uses the [Serf](https://www.serf.io) gossip protocol which relies on
2015-03-09 17:10:22 +00:00
TCP and UDP unicast. Broadcast and Multicast are rarely available in a multi-tenant
or cloud network environment. For that reason, Consul and Serf were both
designed to avoid any dependence on those capabilities.
2015-03-09 18:46:59 +00:00
## Q: Is Consul eventually or strongly consistent?
Consul has two important subsystems, the service catalog and the gossip protocol.
The service catalog stores all the nodes, service instances, health check data,
2017-04-04 16:33:22 +00:00
ACLs, and KV information. It is strongly consistent, and replicated
2015-03-09 18:46:59 +00:00
using the [consensus protocol](/docs/internals/consensus.html).
The [gossip protocol](/docs/internals/gossip.html) is used to track which
nodes are part of the cluster and to detect a node or agent failure. This information
is eventually consistent by nature. When the servers detects a change in membership,
or receive a health update, they update the service catalog appropriately.
Because of this split, the answer to the question is subtle. Almost all client APIs
interact with the service catalog and are strongly consistent. Updates to the
catalog may come via the gossip protocol which is eventually consistent, meaning
the current state of the catalog can lag behind until the state is reconciled.
## Q: Are _failed_ or _left_ nodes ever removed?
To prevent an accumulation of dead nodes (nodes in either _failed_ or _left_
states), Consul will automatically remove dead nodes out of the catalog. This
process is called _reaping_. This is currently done on a configurable
interval of 72 hours. Reaping is similar to leaving, causing all associated
services to be deregistered. Changing the reap interval for aesthetic
reasons to trim the number of _failed_ or _left_ nodes is not advised (nodes
in the _failed_ or _left_ state do not cause any additional burden on
Consul).
2015-05-04 21:23:33 +00:00
## Q: Does Consul support delta updates for watchers or blocking queries?
Consul does not currently support sending a delta or a change only response
to a watcher or a blocking query. The API simply allows for an edge-trigger
return with the full result. A client should keep the results of their last
read and compute the delta client side.
By design, Consul offloads this to clients instead of attempting to support
the delta calculation. This avoids expensive state maintenance on the servers
as well as race conditions between data updates and watch registrations.
## Q: What network ports does Consul use?
2016-07-29 18:43:51 +00:00
The [Ports Used](https://www.consul.io/docs/agent/options.html#ports) section of the Configuration documentation lists all ports that Consul uses.
## Q: Does Consul require certain user process resource limits?
There should be only a small number of open file descriptors required for a
Consul client agent. The gossip layers perform transient connections with
other nodes, each connection to the client agent (such as for a blocking
query) will open a connection, and there will typically be connections to one
of the Consul servers. A small number of file descriptors are also required
for watch handlers, health checks, log files, and so on.
For a Consul server agent, you should plan on the above requirements and
an additional incoming connection from each of the nodes in the cluster. This
should not be the common case, but in the worst case if there is a problem
with the other servers you would expect the other client agents to all
connect to a single server and so preparation for this possibility is helpful.
The default ulimits are usually sufficient for Consul, but you should closely
scrutinize your own environment's specific needs and identify the root cause
of any excessive resource utilization before arbitrarily increasing the limits.
## Q: What is the per-key value size limitation for Consul's key/value store?
2018-05-10 15:24:06 +00:00
The limit on a key's value size is 512KB. This is strictly enforced and an
HTTP 413 status will be returned to any client that attempts to store more
than that limit in a value. It should be noted that the Consul key/value store
is not designed to be used as a general purpose database. See
[Server Performance](/docs/install/performance.html) for more details.
## Q: What data is replicated between Consul datacenters?
In general, data is not replicated between different Consul datacenters. When a
request is made for a resource in another datacenter, the local Consul servers forward
an RPC request to the remote Consul servers for that resource and return the results.
If the remote datacenter is not available, then those resources will also not be
available, but that won't otherwise affect the local datacenter. There are some special
situations where a limited subset of data can be replicated, such as with Consul's built-in
[ACL replication](https://learn.hashicorp.com/consul/day-2-operations/acl-replication) capability, or
external tools like [consul-replicate](https://github.com/hashicorp/consul-replicate).
2020-04-06 20:27:35 +00:00
## Q: Can Consul natively handle protecting against other processes accessing Consul's memory state?
2020-04-06 20:27:35 +00:00
Consul does not provide built-in memory access protections, and doesn't interact with the host system to change or manipulate
viewing and doesn't interact with the host system to change or manipulate
application security.
2020-04-06 20:27:35 +00:00
We recommend taking any precautions or
remediation steps that you would normally do for individual processes, based
on your operating system.
2020-04-06 20:27:35 +00:00
Please see our
[Security Model](https://www.consul.io/docs/internals/security.html) for more information.