|
|
@ -205,19 +205,17 @@ definitions support being updated during a reload.
|
|
|
|
* `acl_datacenter` - Only used by servers. This designates the data center which
|
|
|
|
* `acl_datacenter` - Only used by servers. This designates the data center which
|
|
|
|
is authoritative for ACL information. It must be provided to enable ACLs.
|
|
|
|
is authoritative for ACL information. It must be provided to enable ACLs.
|
|
|
|
All servers and data centers must agree on the ACL data center. Setting it on
|
|
|
|
All servers and data centers must agree on the ACL data center. Setting it on
|
|
|
|
the servers is all you need for enforcement, but for the APIs to work on the
|
|
|
|
the servers is all you need for enforcement, but for the APIs to forwarding properly
|
|
|
|
clients, it must be set on them too (to forward properly). Also, if we want
|
|
|
|
from the clients, it must be set on them too. Future changes may move
|
|
|
|
to enhance the ACL support for other features like service discovery,
|
|
|
|
enforcement to the edges, so it's best to just set `acl_datacenter` on all nodes.
|
|
|
|
enforcement might move to the edges, so it's best to just set the
|
|
|
|
|
|
|
|
`acl_datacenter` on all the nodes.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* `acl_default_policy` - Either "allow" or "deny", defaults to "allow". The
|
|
|
|
* `acl_default_policy` - Either "allow" or "deny"; defaults to "allow". The
|
|
|
|
default policy controls the behavior of a token when there is no matching
|
|
|
|
default policy controls the behavior of a token when there is no matching
|
|
|
|
rule. In "allow" mode, ACLs are a blacklist: any operation not specifically
|
|
|
|
rule. In "allow" mode, ACLs are a blacklist: any operation not specifically
|
|
|
|
prohibited is allowed. In "deny" mode, ACLs are a whitelist: any operation not
|
|
|
|
prohibited is allowed. In "deny" mode, ACLs are a whitelist: any operation not
|
|
|
|
specifically allowed is blocked.
|
|
|
|
specifically allowed is blocked.
|
|
|
|
|
|
|
|
|
|
|
|
* `acl_down_policy` - Either "allow", "deny" or "extend-cache" which is the
|
|
|
|
* `acl_down_policy` - Either "allow", "deny" or "extend-cache"; "extend-cache" is the
|
|
|
|
default. In the case that the policy for a token cannot be read from the
|
|
|
|
default. In the case that the policy for a token cannot be read from the
|
|
|
|
`acl_datacenter` or leader node, the down policy is applied. In "allow" mode,
|
|
|
|
`acl_datacenter` or leader node, the down policy is applied. In "allow" mode,
|
|
|
|
all actions are permitted, "deny" restricts all operations, and "extend-cache"
|
|
|
|
all actions are permitted, "deny" restricts all operations, and "extend-cache"
|
|
|
@ -225,18 +223,17 @@ definitions support being updated during a reload.
|
|
|
|
ACL is used, "extend-cache" acts like "deny".
|
|
|
|
ACL is used, "extend-cache" acts like "deny".
|
|
|
|
|
|
|
|
|
|
|
|
* `acl_master_token` - Only used for servers in the `acl_datacenter`. This token
|
|
|
|
* `acl_master_token` - Only used for servers in the `acl_datacenter`. This token
|
|
|
|
will be created if it does not exist with management level permissions. It allows
|
|
|
|
will be created with management-level permissions if it does not exist. It allows
|
|
|
|
operators to bootstrap the ACL system with a token ID that is well-known.
|
|
|
|
operators to bootstrap the ACL system with a token ID that is well-known.
|
|
|
|
|
|
|
|
|
|
|
|
* `acl_token` - When provided, the agent will use this token when making requests
|
|
|
|
* `acl_token` - When provided, the agent will use this token when making requests
|
|
|
|
to the Consul servers. Clients can override this token on a per-request basis
|
|
|
|
to the Consul servers. Clients can override this token on a per-request basis
|
|
|
|
by providing the ?token parameter. When not provided, the empty token is used
|
|
|
|
by providing the "?token" query parameter. When not provided, the empty token, which
|
|
|
|
which maps to the 'anonymous' ACL policy.
|
|
|
|
maps to the 'anonymous' ACL policy, is used.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* `acl_ttl` - Used to control Time-To-Live caching of ACLs. By default, this
|
|
|
|
* `acl_ttl` - Used to control Time-To-Live caching of ACLs. By default this
|
|
|
|
|
|
|
|
is 30 seconds. This setting has a major performance impact: reducing it will
|
|
|
|
is 30 seconds. This setting has a major performance impact: reducing it will
|
|
|
|
cause more frequent refreshes, while increasing it reduces the number of caches.
|
|
|
|
cause more frequent refreshes while increasing it reduces the number of caches.
|
|
|
|
However, because the caches are not actively invalidated, ACL policy may be stale
|
|
|
|
However, because the caches are not actively invalidated, ACL policy may be stale
|
|
|
|
up to the TTL value.
|
|
|
|
up to the TTL value.
|
|
|
|
|
|
|
|
|
|
|
@ -268,13 +265,13 @@ definitions support being updated during a reload.
|
|
|
|
|
|
|
|
|
|
|
|
* `bind_addr` - Equivalent to the `-bind` command-line flag.
|
|
|
|
* `bind_addr` - Equivalent to the `-bind` command-line flag.
|
|
|
|
|
|
|
|
|
|
|
|
* `ca_file` - This provides a the file path to a PEM encoded certificate authority.
|
|
|
|
* `ca_file` - This provides a file path to a PEM-encoded certificate authority.
|
|
|
|
The certificate authority is used to check the authenticity of client and server
|
|
|
|
The certificate authority is used to check the authenticity of client and server
|
|
|
|
connections with the appropriate `verify_incoming` or `verify_outgoing` flags.
|
|
|
|
connections with the appropriate `verify_incoming` or `verify_outgoing` flags.
|
|
|
|
|
|
|
|
|
|
|
|
* `cert_file` - This provides a the file path to a PEM encoded certificate.
|
|
|
|
* `cert_file` - This provides a file path to a PEM-encoded certificate.
|
|
|
|
The certificate is provided to clients or servers to verify the agents authenticity.
|
|
|
|
The certificate is provided to clients or servers to verify the agent's authenticity.
|
|
|
|
Must be provided along with the `key_file`.
|
|
|
|
It must be provided along with `key_file`.
|
|
|
|
|
|
|
|
|
|
|
|
* `check_update_interval` - This interval controls how often check output from
|
|
|
|
* `check_update_interval` - This interval controls how often check output from
|
|
|
|
checks in a steady state is synchronized with the server. By default, this is
|
|
|
|
checks in a steady state is synchronized with the server. By default, this is
|
|
|
@ -300,28 +297,30 @@ definitions support being updated during a reload.
|
|
|
|
new version releases.
|
|
|
|
new version releases.
|
|
|
|
|
|
|
|
|
|
|
|
* `dns_config` - This object allows a number of sub-keys to be set which can tune
|
|
|
|
* `dns_config` - This object allows a number of sub-keys to be set which can tune
|
|
|
|
how DNS queries are performed. See this guide on [DNS caching](/docs/guides/dns-cache.html).
|
|
|
|
how DNS queries are serviced. See this guide on [DNS caching](/docs/guides/dns-cache.html)
|
|
|
|
|
|
|
|
for more detail.
|
|
|
|
|
|
|
|
<br><br>
|
|
|
|
The following sub-keys are available:
|
|
|
|
The following sub-keys are available:
|
|
|
|
|
|
|
|
|
|
|
|
* `allow_stale` - Enables a stale query for DNS information. This allows any Consul
|
|
|
|
* `allow_stale` - Enables a stale query for DNS information. This allows any Consul
|
|
|
|
server to service the request, instead of only the leader. The advantage of this is
|
|
|
|
server, rather than only the leader, to service the request. The advantage of this is
|
|
|
|
you get linear read scalability with Consul servers. By default, this is false, meaning
|
|
|
|
you get linear read scalability with Consul servers. By default, this is false, meaning
|
|
|
|
all requests are serviced by the leader. This provides stronger consistency but
|
|
|
|
all requests are serviced by the leader, providing stronger consistency but
|
|
|
|
with less throughput and higher latency.
|
|
|
|
less throughput and higher latency.
|
|
|
|
|
|
|
|
|
|
|
|
* `max_stale` - When `allow_stale` is specified, this is used to limit how
|
|
|
|
* `max_stale` - When `allow_stale` is specified, this is used to limit how
|
|
|
|
stale of a result will be used. By default, this is set to "5s", which means
|
|
|
|
stale results are allowed to be. By default, this is set to "5s":
|
|
|
|
if a Consul server is more than 5 seconds behind the leader, the query will be
|
|
|
|
if a Consul server is more than 5 seconds behind the leader, the query will be
|
|
|
|
re-evaluated on the leader to get more up-to-date results.
|
|
|
|
re-evaluated on the leader to get more up-to-date results.
|
|
|
|
|
|
|
|
|
|
|
|
* `node_ttl` - By default, this is "0s", which means all node lookups are served with
|
|
|
|
* `node_ttl` - By default, this is "0s", so all node lookups are served with
|
|
|
|
a 0 TTL value. This can be set to allow node lookups to set a TTL value, which enables
|
|
|
|
a 0 TTL value. DNS caching for node lookups can be enabled by setting this value. This
|
|
|
|
DNS caching. This should be specified with the "s" suffix for second, or "m" for minute.
|
|
|
|
should be specified with the "s" suffix for second, or "m" for minute.
|
|
|
|
|
|
|
|
|
|
|
|
* `service_ttl` - This is a sub-object, which allows for setting a TTL on service lookups
|
|
|
|
* `service_ttl` - This is a sub-object which allows for setting a TTL on service lookups
|
|
|
|
with a per-service policy. The "*" wildcard service can be specified and is used when
|
|
|
|
with a per-service policy. The "*" wildcard service can be used when
|
|
|
|
there is no specific policy available for a service. By default, all services are served
|
|
|
|
there is no specific policy available for a service. By default, all services are served
|
|
|
|
with a 0 TTL value. Setting this enables DNS caching.
|
|
|
|
with a 0 TTL value. DNS caching for service lookups can be enabled by setting this value.
|
|
|
|
|
|
|
|
|
|
|
|
* `enable_truncate` - If set to true, a UDP DNS query that would return more than 3 records
|
|
|
|
* `enable_truncate` - If set to true, a UDP DNS query that would return more than 3 records
|
|
|
|
will set the truncated flag, indicating to clients that they should re-query using TCP to
|
|
|
|
will set the truncated flag, indicating to clients that they should re-query using TCP to
|
|
|
@ -333,21 +332,22 @@ definitions support being updated during a reload.
|
|
|
|
|
|
|
|
|
|
|
|
* `domain` - By default, Consul responds to DNS queries in the "consul." domain.
|
|
|
|
* `domain` - By default, Consul responds to DNS queries in the "consul." domain.
|
|
|
|
This flag can be used to change that domain. All queries in this domain are assumed
|
|
|
|
This flag can be used to change that domain. All queries in this domain are assumed
|
|
|
|
to be handled by Consul, and will not be recursively resolved.
|
|
|
|
to be handled by Consul and will not be recursively resolved.
|
|
|
|
|
|
|
|
|
|
|
|
* `enable_debug` - When set, enables some additional debugging features. Currently,
|
|
|
|
* `enable_debug` - When set, enables some additional debugging features. Currently,
|
|
|
|
only used to set the runtime profiling HTTP endpoints.
|
|
|
|
this is only used to set the runtime profiling HTTP endpoints.
|
|
|
|
|
|
|
|
|
|
|
|
* `enable_syslog` - Equivalent to the `-syslog` command-line flag.
|
|
|
|
* `enable_syslog` - Equivalent to the `-syslog` command-line flag.
|
|
|
|
|
|
|
|
|
|
|
|
* `encrypt` - Equivalent to the `-encrypt` command-line flag.
|
|
|
|
* `encrypt` - Equivalent to the `-encrypt` command-line flag.
|
|
|
|
|
|
|
|
|
|
|
|
* `key_file` - This provides a the file path to a PEM encoded private key.
|
|
|
|
* `key_file` - This provides a the file path to a PEM-encoded private key.
|
|
|
|
The key is used with the certificate to verify the agents authenticity.
|
|
|
|
The key is used with the certificate to verify the agent's authenticity.
|
|
|
|
Must be provided along with the `cert_file`.
|
|
|
|
This must be provided along with `cert_file`.
|
|
|
|
|
|
|
|
|
|
|
|
* `http_api_response_headers` - This object allows adding HTTP header response fields to
|
|
|
|
* `http_api_response_headers` - This object allows adding headers to the HTTP API
|
|
|
|
the HTTP API responses. For example, the following config can be used to enable CORS on
|
|
|
|
responses. For example, the following config can be used to enable
|
|
|
|
|
|
|
|
[CORS](http://en.wikipedia.org/wiki/Cross-origin_resource_sharing) on
|
|
|
|
the HTTP API endpoints:
|
|
|
|
the HTTP API endpoints:
|
|
|
|
|
|
|
|
|
|
|
|
```javascript
|
|
|
|
```javascript
|
|
|
@ -359,7 +359,7 @@ definitions support being updated during a reload.
|
|
|
|
```
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
* `leave_on_terminate` - If enabled, when the agent receives a TERM signal,
|
|
|
|
* `leave_on_terminate` - If enabled, when the agent receives a TERM signal,
|
|
|
|
it will send a Leave message to the rest of the cluster and gracefully
|
|
|
|
it will send a `Leave` message to the rest of the cluster and gracefully
|
|
|
|
leave. Defaults to false.
|
|
|
|
leave. Defaults to false.
|
|
|
|
|
|
|
|
|
|
|
|
* `log_level` - Equivalent to the `-log-level` command-line flag.
|
|
|
|
* `log_level` - Equivalent to the `-log-level` command-line flag.
|
|
|
@ -384,7 +384,7 @@ definitions support being updated during a reload.
|
|
|
|
* `recursors` - This flag provides addresses of upstream DNS servers that are used to
|
|
|
|
* `recursors` - This flag provides addresses of upstream DNS servers that are used to
|
|
|
|
recursively resolve queries if they are not inside the service domain for consul. For example,
|
|
|
|
recursively resolve queries if they are not inside the service domain for consul. For example,
|
|
|
|
a node can use Consul directly as a DNS server, and if the record is outside of the "consul." domain,
|
|
|
|
a node can use Consul directly as a DNS server, and if the record is outside of the "consul." domain,
|
|
|
|
the query will be resolved upstream using their servers.
|
|
|
|
the query will be resolved upstream.
|
|
|
|
|
|
|
|
|
|
|
|
* `rejoin_after_leave` - Equivalent to the `-rejoin` command-line flag.
|
|
|
|
* `rejoin_after_leave` - Equivalent to the `-rejoin` command-line flag.
|
|
|
|
|
|
|
|
|
|
|
@ -396,75 +396,75 @@ definitions support being updated during a reload.
|
|
|
|
|
|
|
|
|
|
|
|
* `retry_join_wan` - Equivalent to the `-retry-join-wan` command-line flag. Takes a list
|
|
|
|
* `retry_join_wan` - Equivalent to the `-retry-join-wan` command-line flag. Takes a list
|
|
|
|
of addresses to attempt joining to WAN every `retry_interval_wan` until at least one
|
|
|
|
of addresses to attempt joining to WAN every `retry_interval_wan` until at least one
|
|
|
|
join -wan works.
|
|
|
|
`-join-wan works.
|
|
|
|
|
|
|
|
|
|
|
|
* `retry_interval_wan` - Equivalent to the `-retry-interval-wan` command-line flag.
|
|
|
|
* `retry_interval_wan` - Equivalent to the `-retry-interval-wan` command-line flag.
|
|
|
|
|
|
|
|
|
|
|
|
* `server` - Equivalent to the `-server` command-line flag.
|
|
|
|
* `server` - Equivalent to the `-server` command-line flag.
|
|
|
|
|
|
|
|
|
|
|
|
* `server_name` - When give, this overrides the `node_name` for the TLS certificate.
|
|
|
|
* `server_name` - When provided, this overrides the `node_name` for the TLS certificate.
|
|
|
|
It can be used to ensure that the certificate name matches the hostname we
|
|
|
|
It can be used to ensure that the certificate name matches the hostname we
|
|
|
|
declare.
|
|
|
|
declare.
|
|
|
|
|
|
|
|
|
|
|
|
* `skip_leave_on_interrupt` - This is the similar to`leave_on_terminate` but
|
|
|
|
* `skip_leave_on_interrupt` - This is similar to `leave_on_terminate` but
|
|
|
|
only affects interrupt handling. By default, an interrupt causes Consul to
|
|
|
|
only affects interrupt handling. By default, an interrupt (such as hitting
|
|
|
|
gracefully leave, but setting this to true disables that. Defaults to false.
|
|
|
|
Control-C in a shell) causes Consul to gracefully leave. Setting this to true
|
|
|
|
Interrupts are usually from a Control-C from a shell.
|
|
|
|
disables that. Defaults to false.
|
|
|
|
|
|
|
|
|
|
|
|
* `start_join` - An array of strings specifying addresses of nodes to
|
|
|
|
* `start_join` - An array of strings specifying addresses of nodes to
|
|
|
|
join upon startup.
|
|
|
|
join upon startup.
|
|
|
|
|
|
|
|
|
|
|
|
* `start_join_wan` - An array of strings specifying addresses of WAN nodes to
|
|
|
|
* `start_join_wan` - An array of strings specifying addresses of WAN nodes to
|
|
|
|
join -wan upon startup.
|
|
|
|
`-join-wan` upon startup.
|
|
|
|
|
|
|
|
|
|
|
|
* `statsd_addr` - This provides the address of a statsd instance. If provided
|
|
|
|
* `statsd_addr` - This provides the address of a statsd instance. If provided,
|
|
|
|
Consul will send various telemetry information to that instance for aggregation.
|
|
|
|
Consul will send various telemetry information to that instance for aggregation.
|
|
|
|
This can be used to capture various runtime information. This sends UDP packets
|
|
|
|
This can be used to capture runtime information. This sends UDP packets
|
|
|
|
only, and can be used with statsd or statsite.
|
|
|
|
only and can be used with statsd or statsite.
|
|
|
|
|
|
|
|
|
|
|
|
* `statsite_addr` - This provides the address of a statsite instance. If provided
|
|
|
|
* `statsite_addr` - This provides the address of a statsite instance. If provided,
|
|
|
|
Consul will stream various telemetry information to that instance for aggregation.
|
|
|
|
Consul will stream various telemetry information to that instance for aggregation.
|
|
|
|
This can be used to capture various runtime information. This streams via
|
|
|
|
This can be used to capture runtime information. This streams via
|
|
|
|
TCP and can only be used with statsite.
|
|
|
|
TCP and can only be used with statsite.
|
|
|
|
|
|
|
|
|
|
|
|
* `syslog_facility` - When `enable_syslog` is provided, this controls which
|
|
|
|
* `syslog_facility` - When `enable_syslog` is provided, this controls to which
|
|
|
|
facility messages are sent to. By default, `LOCAL0` will be used.
|
|
|
|
facility messages are sent. By default, `LOCAL0` will be used.
|
|
|
|
|
|
|
|
|
|
|
|
* `ui_dir` - Equivalent to the `-ui-dir` command-line flag.
|
|
|
|
* `ui_dir` - Equivalent to the `-ui-dir` command-line flag.
|
|
|
|
|
|
|
|
|
|
|
|
* `unix_sockets` - This allows tuning the ownership and permissions of the
|
|
|
|
* `unix_sockets` - This allows tuning the ownership and permissions of the
|
|
|
|
Unix domain socket files created by Consul. Domain sockets are only used if
|
|
|
|
Unix domain socket files created by Consul. Domain sockets are only used if
|
|
|
|
the HTTP or RPC addresses are configured with the `unix://` prefix. The
|
|
|
|
the HTTP or RPC addresses are configured with the `unix://` prefix. The
|
|
|
|
following options are valid within this construct, and apply globally to all
|
|
|
|
following options are valid within this construct and apply globally to all
|
|
|
|
sockets created by Consul:
|
|
|
|
sockets created by Consul:
|
|
|
|
<br>
|
|
|
|
<br>
|
|
|
|
* `user` - The name or ID of the user who will own the socket file.
|
|
|
|
* `user` - The name or ID of the user who will own the socket file.
|
|
|
|
* `group` - The group ID ownership of the socket file. Note that this option
|
|
|
|
* `group` - The group ID ownership of the socket file. Note that this option
|
|
|
|
currently only supports numeric ID's.
|
|
|
|
currently only supports numeric IDs.
|
|
|
|
* `mode` - The permission bits to set on the file.
|
|
|
|
* `mode` - The permission bits to set on the file.
|
|
|
|
<br>
|
|
|
|
<br>
|
|
|
|
It is important to note that this option may have different effects on
|
|
|
|
It is important to note that this option may have different effects on
|
|
|
|
different operating systems. Linux generally observes socket file permissions,
|
|
|
|
different operating systems. Linux generally observes socket file permissions
|
|
|
|
while many BSD variants ignore permissions on the socket file itself. It is
|
|
|
|
while many BSD variants ignore permissions on the socket file itself. It is
|
|
|
|
important to test this feature on your specific distribution. This feature is
|
|
|
|
important to test this feature on your specific distribution. This feature is
|
|
|
|
currently not functional on Windows hosts.
|
|
|
|
currently not functional on Windows hosts.
|
|
|
|
|
|
|
|
|
|
|
|
* `verify_incoming` - If set to True, Consul requires that all incoming
|
|
|
|
* `verify_incoming` - If set to true, Consul requires that all incoming
|
|
|
|
connections make use of TLS, and that the client provides a certificate signed
|
|
|
|
connections make use of TLS and that the client provides a certificate signed
|
|
|
|
by the Certificate Authority from the `ca_file`. By default, this is false, and
|
|
|
|
by the Certificate Authority from the `ca_file`. By default, this is false, and
|
|
|
|
Consul will not enforce the use of TLS or verify a client's authenticity. This
|
|
|
|
Consul will not enforce the use of TLS or verify a client's authenticity. This
|
|
|
|
only applies to Consul servers, since a client never has an incoming connection.
|
|
|
|
only applies to Consul servers since a client never has an incoming connection.
|
|
|
|
|
|
|
|
|
|
|
|
* `verify_outgoing` - If set to True, Consul requires that all outgoing connections
|
|
|
|
* `verify_outgoing` - If set to true, Consul requires that all outgoing connections
|
|
|
|
make use of TLS, and that the server provide a certificate that is signed by
|
|
|
|
make use of TLS and that the server provides a certificate that is signed by
|
|
|
|
the Certificate Authority from the `ca_file`. By default, this is false, and Consul
|
|
|
|
the Certificate Authority from the `ca_file`. By default, this is false, and Consul
|
|
|
|
will not make use of TLS for outgoing connections. This applies to clients and servers,
|
|
|
|
will not make use of TLS for outgoing connections. This applies to clients and servers
|
|
|
|
as both will make outgoing connections.
|
|
|
|
as both will make outgoing connections.
|
|
|
|
|
|
|
|
|
|
|
|
* `watches` - Watches is a list of watch specifications.
|
|
|
|
* `watches` - Watches is a list of watch specifications which allow an external process
|
|
|
|
These allow an external process to be automatically invoked when a particular
|
|
|
|
to be automatically invoked when a particular data view is updated. See the
|
|
|
|
data view is updated. See the [watch documentation](/docs/agent/watches.html) for
|
|
|
|
[watch documentation](/docs/agent/watches.html) for more detail. Watches can be
|
|
|
|
more documentation. Watches can be modified when the configuration is reloaded.
|
|
|
|
modified when the configuration is reloaded.
|
|
|
|
|
|
|
|
|
|
|
|
## Ports Used
|
|
|
|
## Ports Used
|
|
|
|
|
|
|
|
|
|
|
|