github.com/criteo-forks/consul@v1.4.5-criteonogrpc/agent/consul/config.go (about) 1 package consul 2 3 import ( 4 "fmt" 5 "io" 6 "net" 7 "os" 8 "time" 9 10 "github.com/hashicorp/consul/agent/consul/autopilot" 11 "github.com/hashicorp/consul/agent/structs" 12 "github.com/hashicorp/consul/lib" 13 "github.com/hashicorp/consul/tlsutil" 14 "github.com/hashicorp/consul/types" 15 "github.com/hashicorp/consul/version" 16 "github.com/hashicorp/memberlist" 17 "github.com/hashicorp/raft" 18 "github.com/hashicorp/serf/serf" 19 "golang.org/x/time/rate" 20 ) 21 22 const ( 23 DefaultDC = "dc1" 24 DefaultRPCPort = 8300 25 DefaultLANSerfPort = 8301 26 DefaultWANSerfPort = 8302 27 28 // DefaultRaftMultiplier is used as a baseline Raft configuration that 29 // will be reliable on a very basic server. See docs/guides/performance.html 30 // for information on how this value was obtained. 31 DefaultRaftMultiplier uint = 5 32 33 // MaxRaftMultiplier is a fairly arbitrary upper bound that limits the 34 // amount of performance detuning that's possible. 35 MaxRaftMultiplier uint = 10 36 37 // DefaultSoftWatchLimit is used as a soft limit to cap how many watches we allow 38 // for a given blocking query. If this is exceeded, then we will use a 39 // higher-level watch that's less fine-grained. 40 DefaultSoftWatchLimit = 8192 41 ) 42 43 var ( 44 DefaultRPCAddr = &net.TCPAddr{IP: net.ParseIP("0.0.0.0"), Port: DefaultRPCPort} 45 46 // ProtocolVersionMap is the mapping of Consul protocol versions 47 // to Serf protocol versions. We mask the Serf protocols using 48 // our own protocol version. 49 protocolVersionMap map[uint8]uint8 50 ) 51 52 func init() { 53 protocolVersionMap = map[uint8]uint8{ 54 1: 4, 55 2: 4, 56 3: 4, 57 } 58 } 59 60 // (Enterprise-only) NetworkSegment is the address and port configuration 61 // for a network segment. 62 type NetworkSegment struct { 63 Name string 64 Bind string 65 Port int 66 Advertise string 67 RPCAddr *net.TCPAddr 68 SerfConfig *serf.Config 69 } 70 71 // Config is used to configure the server 72 type Config struct { 73 // Bootstrap mode is used to bring up the first Consul server. 74 // It is required so that it can elect a leader without any 75 // other nodes being present 76 Bootstrap bool 77 78 // BootstrapExpect mode is used to automatically bring up a collection of 79 // Consul servers. This can be used to automatically bring up a collection 80 // of nodes. 81 BootstrapExpect int 82 83 // Datacenter is the datacenter this Consul server represents. 84 Datacenter string 85 86 // PrimaryDatacenter is the authoritative datacenter for features like ACLs 87 // and Connect. 88 PrimaryDatacenter string 89 90 // DataDir is the directory to store our state in. 91 DataDir string 92 93 // DevMode is used to enable a development server mode. 94 DevMode bool 95 96 // NodeID is a unique identifier for this node across space and time. 97 NodeID types.NodeID 98 99 // Node name is the name we use to advertise. Defaults to hostname. 100 NodeName string 101 102 // Domain is the DNS domain for the records. Defaults to "consul." 103 Domain string 104 105 // RaftConfig is the configuration used for Raft in the local DC 106 RaftConfig *raft.Config 107 108 // (Enterprise-only) NonVoter is used to prevent this server from being added 109 // as a voting member of the Raft cluster. 110 NonVoter bool 111 112 // NotifyListen is called after the RPC listener has been configured. 113 // RPCAdvertise will be set to the listener address if it hasn't been 114 // configured at this point. 115 NotifyListen func() 116 117 // RPCAddr is the RPC address used by Consul. This should be reachable 118 // by the WAN and LAN 119 RPCAddr *net.TCPAddr 120 121 // RPCAdvertise is the address that is advertised to other nodes for 122 // the RPC endpoint. This can differ from the RPC address, if for example 123 // the RPCAddr is unspecified "0.0.0.0:8300", but this address must be 124 // reachable. If RPCAdvertise is nil then it will be set to the Listener 125 // address after the listening socket is configured. 126 RPCAdvertise *net.TCPAddr 127 128 // RPCSrcAddr is the source address for outgoing RPC connections. 129 RPCSrcAddr *net.TCPAddr 130 131 // (Enterprise-only) The network segment this agent is part of. 132 Segment string 133 134 // (Enterprise-only) Segments is a list of network segments for a server to 135 // bind on. 136 Segments []NetworkSegment 137 138 // SerfLANConfig is the configuration for the intra-dc serf 139 SerfLANConfig *serf.Config 140 141 // SerfWANConfig is the configuration for the cross-dc serf 142 SerfWANConfig *serf.Config 143 144 // SerfFloodInterval controls how often we attempt to flood local Serf 145 // Consul servers into the global areas (WAN and user-defined areas in 146 // Consul Enterprise). 147 SerfFloodInterval time.Duration 148 149 // ReconcileInterval controls how often we reconcile the strongly 150 // consistent store with the Serf info. This is used to handle nodes 151 // that are force removed, as well as intermittent unavailability during 152 // leader election. 153 ReconcileInterval time.Duration 154 155 // LogOutput is the location to write logs to. If this is not set, 156 // logs will go to stderr. 157 LogOutput io.Writer 158 159 // ProtocolVersion is the protocol version to speak. This must be between 160 // ProtocolVersionMin and ProtocolVersionMax. 161 ProtocolVersion uint8 162 163 // VerifyIncoming is used to verify the authenticity of incoming connections. 164 // This means that TCP requests are forbidden, only allowing for TLS. TLS connections 165 // must match a provided certificate authority. This can be used to force client auth. 166 VerifyIncoming bool 167 168 // VerifyOutgoing is used to force verification of the authenticity of outgoing connections. 169 // This means that TLS requests are used, and TCP requests are not made. TLS connections 170 // must match a provided certificate authority. 171 VerifyOutgoing bool 172 173 // UseTLS is used to enable TLS for outgoing connections to other TLS-capable Consul 174 // servers. This doesn't imply any verification, it only enables TLS if possible. 175 UseTLS bool 176 177 // VerifyServerHostname is used to enable hostname verification of servers. This 178 // ensures that the certificate presented is valid for server.<datacenter>.<domain>. 179 // This prevents a compromised client from being restarted as a server, and then 180 // intercepting request traffic as well as being added as a raft peer. This should be 181 // enabled by default with VerifyOutgoing, but for legacy reasons we cannot break 182 // existing clients. 183 VerifyServerHostname bool 184 185 // CAFile is a path to a certificate authority file. This is used with VerifyIncoming 186 // or VerifyOutgoing to verify the TLS connection. 187 CAFile string 188 189 // CAPath is a path to a directory of certificate authority files. This is used with 190 // VerifyIncoming or VerifyOutgoing to verify the TLS connection. 191 CAPath string 192 193 // CertFile is used to provide a TLS certificate that is used for serving TLS connections. 194 // Must be provided to serve TLS connections. 195 CertFile string 196 197 // KeyFile is used to provide a TLS key that is used for serving TLS connections. 198 // Must be provided to serve TLS connections. 199 KeyFile string 200 201 // ServerName is used with the TLS certificate to ensure the name we 202 // provide matches the certificate 203 ServerName string 204 205 // TLSMinVersion is used to set the minimum TLS version used for TLS connections. 206 TLSMinVersion string 207 208 // TLSCipherSuites is used to specify the list of supported ciphersuites. 209 TLSCipherSuites []uint16 210 211 // TLSPreferServerCipherSuites specifies whether to prefer the server's ciphersuite 212 // over the client ciphersuites. 213 TLSPreferServerCipherSuites bool 214 215 // RejoinAfterLeave controls our interaction with Serf. 216 // When set to false (default), a leave causes a Consul to not rejoin 217 // the cluster until an explicit join is received. If this is set to 218 // true, we ignore the leave, and rejoin the cluster on start. 219 RejoinAfterLeave bool 220 221 // Build is a string that is gossiped around, and can be used to help 222 // operators track which versions are actively deployed 223 Build string 224 225 // ACLEnabled is used to enable ACLs 226 ACLsEnabled bool 227 228 // ACLEnforceVersion8 is used to gate a set of ACL policy features that 229 // are opt-in prior to Consul 0.8 and opt-out in Consul 0.8 and later. 230 ACLEnforceVersion8 bool 231 232 // ACLMasterToken is used to bootstrap the ACL system. It should be specified 233 // on the servers in the ACLDatacenter. When the leader comes online, it ensures 234 // that the Master token is available. This provides the initial token. 235 ACLMasterToken string 236 237 // ACLDatacenter provides the authoritative datacenter for ACL 238 // tokens. If not provided, ACL verification is disabled. 239 ACLDatacenter string 240 241 // ACLTokenTTL controls the time-to-live of cached ACL tokens. 242 // It can be set to zero to disable caching, but this adds 243 // a substantial cost. 244 ACLTokenTTL time.Duration 245 246 // ACLPolicyTTL controls the time-to-live of cached ACL policies. 247 // It can be set to zero to disable caching, but this adds 248 // a substantial cost. 249 ACLPolicyTTL time.Duration 250 251 // ACLDisabledTTL is the time between checking if ACLs should be 252 // enabled. This 253 ACLDisabledTTL time.Duration 254 255 // ACLTokenReplication is used to enabled token replication. 256 // 257 // By default policy-only replication is enabled. When token 258 // replication is off and the primary datacenter is not 259 // yet upgraded to the new ACLs no replication will be performed 260 ACLTokenReplication bool 261 262 // ACLDefaultPolicy is used to control the ACL interaction when 263 // there is no defined policy. This can be "allow" which means 264 // ACLs are used to black-list, or "deny" which means ACLs are 265 // white-lists. 266 ACLDefaultPolicy string 267 268 // ACLDownPolicy controls the behavior of ACLs if the ACLDatacenter 269 // cannot be contacted. It can be either "deny" to deny all requests, 270 // "extend-cache" or "async-cache" which ignores the ACLCacheInterval and 271 // uses cached policies. 272 // If a policy is not in the cache, it acts like deny. 273 // "allow" can be used to allow all requests. This is not recommended. 274 ACLDownPolicy string 275 276 // ACLReplicationRate is the max number of replication rounds that can 277 // be run per second. Note that either 1 or 2 RPCs are used during each replication 278 // round 279 ACLReplicationRate int 280 281 // ACLReplicationBurst is how many replication RPCs can be bursted after a 282 // period of idleness 283 ACLReplicationBurst int 284 285 // ACLReplicationApplyLimit is the max number of replication-related 286 // apply operations that we allow during a one second period. This is 287 // used to limit the amount of Raft bandwidth used for replication. 288 ACLReplicationApplyLimit int 289 290 // ACLEnableKeyListPolicy is used to gate enforcement of the new "list" policy that 291 // protects listing keys by prefix. This behavior is opt-in 292 // by default in Consul 1.0 and later. 293 ACLEnableKeyListPolicy bool 294 295 // TombstoneTTL is used to control how long KV tombstones are retained. 296 // This provides a window of time where the X-Consul-Index is monotonic. 297 // Outside this window, the index may not be monotonic. This is a result 298 // of a few trade offs: 299 // 1) The index is defined by the data view and not globally. This is a 300 // performance optimization that prevents any write from incrementing the 301 // index for all data views. 302 // 2) Tombstones are not kept indefinitely, since otherwise storage required 303 // is also monotonic. This prevents deletes from reducing the disk space 304 // used. 305 // In theory, neither of these are intrinsic limitations, however for the 306 // purposes of building a practical system, they are reasonable trade offs. 307 // 308 // It is also possible to set this to an incredibly long time, thereby 309 // simulating infinite retention. This is not recommended however. 310 // 311 TombstoneTTL time.Duration 312 313 // TombstoneTTLGranularity is used to control how granular the timers are 314 // for the Tombstone GC. This is used to batch the GC of many keys together 315 // to reduce overhead. It is unlikely a user would ever need to tune this. 316 TombstoneTTLGranularity time.Duration 317 318 // Minimum Session TTL 319 SessionTTLMin time.Duration 320 321 // ServerUp callback can be used to trigger a notification that 322 // a Consul server is now up and known about. 323 ServerUp func() 324 325 // UserEventHandler callback can be used to handle incoming 326 // user events. This function should not block. 327 UserEventHandler func(serf.UserEvent) 328 329 // CoordinateUpdatePeriod controls how long a server batches coordinate 330 // updates before applying them in a Raft transaction. A larger period 331 // leads to fewer Raft transactions, but also the stored coordinates 332 // being more stale. 333 CoordinateUpdatePeriod time.Duration 334 335 // CoordinateUpdateBatchSize controls the maximum number of updates a 336 // server batches before applying them in a Raft transaction. 337 CoordinateUpdateBatchSize int 338 339 // CoordinateUpdateMaxBatches controls the maximum number of batches we 340 // are willing to apply in one period. After this limit we will issue a 341 // warning and discard the remaining updates. 342 CoordinateUpdateMaxBatches int 343 344 // RPCHoldTimeout is how long an RPC can be "held" before it is errored. 345 // This is used to paper over a loss of leadership by instead holding RPCs, 346 // so that the caller experiences a slow response rather than an error. 347 // This period is meant to be long enough for a leader election to take 348 // place, and a small jitter is applied to avoid a thundering herd. 349 RPCHoldTimeout time.Duration 350 351 // RPCRate and RPCMaxBurst control how frequently RPC calls are allowed 352 // to happen. In any large enough time interval, rate limiter limits the 353 // rate to RPCRate tokens per second, with a maximum burst size of 354 // RPCMaxBurst events. As a special case, if RPCRate == Inf (the infinite 355 // rate), RPCMaxBurst is ignored. 356 // 357 // See https://en.wikipedia.org/wiki/Token_bucket for more about token 358 // buckets. 359 RPCRate rate.Limit 360 RPCMaxBurst int 361 362 // LeaveDrainTime is used to wait after a server has left the LAN Serf 363 // pool for RPCs to drain and new requests to be sent to other servers. 364 LeaveDrainTime time.Duration 365 366 // AutopilotConfig is used to apply the initial autopilot config when 367 // bootstrapping. 368 AutopilotConfig *autopilot.Config 369 370 // ServerHealthInterval is the frequency with which the health of the 371 // servers in the cluster will be updated. 372 ServerHealthInterval time.Duration 373 374 // AutopilotInterval is the frequency with which the leader will perform 375 // autopilot tasks, such as promoting eligible non-voters and removing 376 // dead servers. 377 AutopilotInterval time.Duration 378 379 // ConnectEnabled is whether to enable Connect features such as the CA. 380 ConnectEnabled bool 381 382 // CAConfig is used to apply the initial Connect CA configuration when 383 // bootstrapping. 384 CAConfig *structs.CAConfiguration 385 386 // WatchSoftLimit is used as a soft limit to cap how many watches we allow 387 // for a given blocking query. If this is exceeded, then we will use a 388 // higher-level watch that's less fine-grained. 389 WatchSoftLimit int 390 } 391 392 func (c *Config) ToTLSUtilConfig() tlsutil.Config { 393 return tlsutil.Config{ 394 VerifyIncoming: c.VerifyIncoming, 395 VerifyOutgoing: c.VerifyOutgoing, 396 CAFile: c.CAFile, 397 CAPath: c.CAPath, 398 CertFile: c.CertFile, 399 KeyFile: c.KeyFile, 400 NodeName: c.NodeName, 401 ServerName: c.ServerName, 402 TLSMinVersion: c.TLSMinVersion, 403 CipherSuites: c.TLSCipherSuites, 404 PreferServerCipherSuites: c.TLSPreferServerCipherSuites, 405 } 406 } 407 408 // CheckProtocolVersion validates the protocol version. 409 func (c *Config) CheckProtocolVersion() error { 410 if c.ProtocolVersion < ProtocolVersionMin { 411 return fmt.Errorf("Protocol version '%d' too low. Must be in range: [%d, %d]", c.ProtocolVersion, ProtocolVersionMin, ProtocolVersionMax) 412 } 413 if c.ProtocolVersion > ProtocolVersionMax { 414 return fmt.Errorf("Protocol version '%d' too high. Must be in range: [%d, %d]", c.ProtocolVersion, ProtocolVersionMin, ProtocolVersionMax) 415 } 416 return nil 417 } 418 419 // CheckACL validates the ACL configuration. 420 func (c *Config) CheckACL() error { 421 switch c.ACLDefaultPolicy { 422 case "allow": 423 case "deny": 424 default: 425 return fmt.Errorf("Unsupported default ACL policy: %s", c.ACLDefaultPolicy) 426 } 427 switch c.ACLDownPolicy { 428 case "allow": 429 case "deny": 430 case "async-cache", "extend-cache": 431 default: 432 return fmt.Errorf("Unsupported down ACL policy: %s", c.ACLDownPolicy) 433 } 434 return nil 435 } 436 437 // DefaultConfig returns a sane default configuration. 438 func DefaultConfig() *Config { 439 hostname, err := os.Hostname() 440 if err != nil { 441 panic(err) 442 } 443 444 conf := &Config{ 445 Build: version.Version, 446 Datacenter: DefaultDC, 447 NodeName: hostname, 448 RPCAddr: DefaultRPCAddr, 449 RaftConfig: raft.DefaultConfig(), 450 SerfLANConfig: lib.SerfDefaultConfig(), 451 SerfWANConfig: lib.SerfDefaultConfig(), 452 SerfFloodInterval: 60 * time.Second, 453 ReconcileInterval: 60 * time.Second, 454 ProtocolVersion: ProtocolVersion2Compatible, 455 ACLPolicyTTL: 30 * time.Second, 456 ACLTokenTTL: 30 * time.Second, 457 ACLDefaultPolicy: "allow", 458 ACLDownPolicy: "extend-cache", 459 ACLReplicationRate: 1, 460 ACLReplicationBurst: 5, 461 ACLReplicationApplyLimit: 100, // ops / sec 462 TombstoneTTL: 15 * time.Minute, 463 TombstoneTTLGranularity: 30 * time.Second, 464 SessionTTLMin: 10 * time.Second, 465 466 // These are tuned to provide a total throughput of 128 updates 467 // per second. If you update these, you should update the client- 468 // side SyncCoordinateRateTarget parameter accordingly. 469 CoordinateUpdatePeriod: 5 * time.Second, 470 CoordinateUpdateBatchSize: 128, 471 CoordinateUpdateMaxBatches: 5, 472 473 RPCRate: rate.Inf, 474 RPCMaxBurst: 1000, 475 476 TLSMinVersion: "tls10", 477 478 // TODO (slackpad) - Until #3744 is done, we need to keep these 479 // in sync with agent/config/default.go. 480 AutopilotConfig: &autopilot.Config{ 481 CleanupDeadServers: true, 482 LastContactThreshold: 200 * time.Millisecond, 483 MaxTrailingLogs: 250, 484 ServerStabilizationTime: 10 * time.Second, 485 }, 486 487 CAConfig: &structs.CAConfiguration{ 488 Provider: "consul", 489 Config: map[string]interface{}{ 490 "RotationPeriod": "2160h", 491 "LeafCertTTL": "72h", 492 }, 493 }, 494 495 ServerHealthInterval: 2 * time.Second, 496 AutopilotInterval: 10 * time.Second, 497 } 498 499 // Increase our reap interval to 3 days instead of 24h. 500 conf.SerfLANConfig.ReconnectTimeout = 3 * 24 * time.Hour 501 conf.SerfWANConfig.ReconnectTimeout = 3 * 24 * time.Hour 502 503 // WAN Serf should use the WAN timing, since we are using it 504 // to communicate between DC's 505 conf.SerfWANConfig.MemberlistConfig = memberlist.DefaultWANConfig() 506 507 // Ensure we don't have port conflicts 508 conf.SerfLANConfig.MemberlistConfig.BindPort = DefaultLANSerfPort 509 conf.SerfWANConfig.MemberlistConfig.BindPort = DefaultWANSerfPort 510 511 // Raft protocol version 3 only works with other Consul servers running 512 // 0.8.0 or later. 513 conf.RaftConfig.ProtocolVersion = 3 514 515 // Disable shutdown on removal 516 conf.RaftConfig.ShutdownOnRemove = false 517 518 // Check every 5 seconds to see if there are enough new entries for a snapshot, can be overridden 519 conf.RaftConfig.SnapshotInterval = 30 * time.Second 520 521 // Snapshots are created every 16384 entries by default, can be overridden 522 conf.RaftConfig.SnapshotThreshold = 16384 523 524 return conf 525 }