The purpose of this article is to build consul1.5 clusters with ACL control. Specific concepts and configuration instructions, I will write a supplementary article later.
1. Machine planning
I have four virtual machines, three as Server Agent and one as Client Agent. (Note: Of course, you can configure multiple clients. In this case, only one Client is configured because too many VMS are running.)
Machine IP (Machine name) | HTTP port (use default values for other ports) | The Agent type | The name of the node |
---|---|---|---|
10.2111.55.28 (node1) | 8500 | server | consul-server1 |
10.2111.55.25 (2) | 8500 | server | consul-server2 |
10.2111.55.26 (node3) | 8500 | server | consul-server3 |
10.2111.55.27 (node4) | 8500 | The client with the UI | consul-client1 |
2. Configure the three servers and start them.
consul-server1.json
{
"datacenter":"dc1"."primary_datacenter":"dc1"."bootstrap_expect": 1,"start_join": ["10.211.55.25"."10.211.55.26"]."retry_join": ["10.211.55.25"."10.211.55.26"]."advertise_addr": "10.211.55.28"."bind_addr": "10.211.55.28"."server":true."connect": {"enabled":true
},
"node_name":"consul-server1"."data_dir":"/opt/consul/data/"."enable_script_checks":false."enable_local_script_checks":true."log_file":"/opt/consul/log/"."log_level":"info"."log_rotate_bytes": 100000000,"log_rotate_duration":"24h"."encrypt":"krCysDJnrQ8dtA7AbJav8g=="."acl": {"enabled":true."default_policy":"deny"."enable_token_persistence":true."tokens": {"master":"cd76a0f7-5535-40cc-8696-073462acc6c7"}}}Copy the code
consul-server2.json
{"datacenter":" DC1 ", "primary_datacenter":" DC1 ", "advertise_ADDR ":" 10.211.55.25", "bind_addr": "10.211.55.25", "server":true, "connect":{"enabled":true}, "node_name":"consul-server2", "data_dir":"/opt/consul/data/", "enable_script_checks":false, "enable_local_script_checks":true, "log_file":"/opt/consul/log/", "log_level":"info", "log_rotate_bytes":100000000, "log_rotate_duration":"24h", "encrypt":"krCysDJnrQ8dtA7AbJav8g==", "acl":{ "enabled":true, "default_policy":"deny", "enable_token_persistence":true, "tokens":{ "master":"cd76a0f7-5535-40cc-8696-073462acc6c7" } } }Copy the code
consul-server3.json
{
"datacenter":"dc1"."primary_datacenter":"dc1"."advertise_addr":"10.211.55.26"."bind_addr":"10.211.55.26"."server":true."connect": {"enabled":true
},
"node_name":"consul-server3"."data_dir":"/opt/consul/data/"."enable_script_checks":false."enable_local_script_checks":true."log_file":"/opt/consul/log/"."log_level":"info"."log_rotate_bytes": 100000000,"log_rotate_duration":"24h"."encrypt":"krCysDJnrQ8dtA7AbJav8g=="."acl": {"enabled":true."default_policy":"deny"."enable_token_persistence":true."tokens": {"master":"cd76a0f7-5535-40cc-8696-073462acc6c7"}}}Copy the code
You can see that the configurations of Consul-server2 and consul-server3 are similar except that the IP address and port have been changed. In addition, Consul -server1 is mainly configured to start connections and retry connections. Next, start the cluster: Run the command on host 10.2111.55.25 (node2),./consul agent-config-file start-conf/consul-server2.json Run the command on host 10.2111.55.26 (node3), Json Run on host 10.2111.55.28 (node1)./consul agent-config-file start-conf/consul-server3.json ./consul agent -config-file start-conf/consul-server1.json
3. Generate and configure agent-token to resolve the server Agent ACL block problem
When the above statement completes, it will be found that the coordination update is blocked due to the ACL. The diagram below:
Execute the following statement on any server to generate agent-token:
curl \ --request PUT \ --header "X-Consul-Token: cd76a0f7-5535-40cc-8696-073462acc6c7" \ --data \ '{ "Name": "Agent Token", "Type": "client", "Rules": Node \ \ "{policy = \}" write \ "service \" \ "= {policy \" read \ "} "} 'http://127.0.0.1:8500/v1/acl/createCopy the code
The generated Agent-Token is returned
"acl": {"enabled":true."default_policy":"deny"."enable_token_persistence":true."tokens": {"master":"cd76a0f7-5535-40cc-8696-073462acc6c7"."agent":"deaa315d-98c5-b9f6-6519-4c8f6574a551"}}Copy the code
That is, the agent configuration is added.
Then restart each server agent on machine 10.2111.55.25 (node2). Json Run on host 10.2111.55.26 (node3)./consul agent-config-file start-conf/consul-server2.json Json Run on host 10.2111.55.28 (node1)./consul agent-config-file start-conf/consul-server3.json ./consul agent -config-file start-conf/consul-server1.json
After the server Agent cluster stabilizes, the ACL block is resolved.
4. Start a client Agent with the UI
{
"datacenter":"dc1"."primary_datacenter":"dc1"."advertise_addr": "10.211.55.27"."start_join": ["10.211.55.25"."10.211.55.26"."10.211.55.28"]."retry_join": ["10.211.55.25"."10.211.55.26"."10.211.55.28"]."bind_addr":"10.211.55.27"."node_name":"consul-client1"."client_addr":"0.0.0.0"."connect": {"enabled":true
},
"data_dir":"/opt/consul/data/"."log_file":"/opt/consul/log/"."log_level":"info"."log_rotate_bytes": 100000000,"log_rotate_duration":"24h"."encrypt":"krCysDJnrQ8dtA7AbJav8g=="."ui":true."enable_script_checks":false."enable_local_script_checks":true."disable_remote_exec":true."ports": {"http": 7110}."acl": {"enabled":true."default_policy":"deny"."enable_token_persistence":true."tokens": {"agent":"deaa315d-98c5-b9f6-6519-4c8f6574a551"}}}Copy the code
The above configuration mainly has more UI, indicating a Web-UI (which can be viewed in a browser). In addition, the Agent token generated in step 3 is also set. Run the./consul agent-config-file start-conf/consul-client1.json command on host 10.2111.55.27 (node4)
5. Configure environment variables.
After some configuration in front, I thought I had done all things, just want to touch their handsome hair. }}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
Add the following to all server environment variables: vim /etc/profile
export CONSUL_HTTP_TOKEN=cd76a0f7-5535-40cc-8696-073462acc6c7
Copy the code
Then, source /etc/profile. For your convenience, I have set the maximum permission on master_token to be found./ Consul members Data is available
2. Set environment variables for the Client Agent
#consul http-token
export CONSUL_HTTP_TOKEN=cd76a0f7-5535-40cc-8696-073462acc6c7
#only consul-client1 need, because http port has changed to 7110
exportCONSUL_HTTP_ADDR = 127.0.0.1:7110Copy the code
In this case, the discovery is executed on client Agent./ Consul Members is also ok.
6. Set the master_token for the Web-UI
On the client-agent, enter 127.0.0.1:7110, click ACL, and enter master-token. The diagram below:
7. Refer to the article
www.consul.io/docs/acl/ac…
www.consul.io/docs/agent/…
www.consul.io/docs/comman…
The article will be sent to wechat as soon as possible. Please pay attention to my wechat public account, so that we can exchange and learn together