The purpose of this article is to build consul1.5 clusters with ACL control. Specific concepts and configuration instructions, I will write a supplementary article later.

1. Machine planning

I have four virtual machines, three as Server Agent and one as Client Agent. (Note: Of course, you can configure multiple clients. In this case, only one Client is configured because too many VMS are running.)

Machine IP (Machine name) HTTP port (use default values for other ports) The Agent type The name of the node
10.2111.55.28 (node1) 8500 server consul-server1
10.2111.55.25 (2) 8500 server consul-server2
10.2111.55.26 (node3) 8500 server consul-server3
10.2111.55.27 (node4) 8500 The client with the UI consul-client1

2. Configure the three servers and start them.

consul-server1.json

{
    "datacenter":"dc1"."primary_datacenter":"dc1"."bootstrap_expect": 1,"start_join": ["10.211.55.25"."10.211.55.26"]."retry_join": ["10.211.55.25"."10.211.55.26"]."advertise_addr": "10.211.55.28"."bind_addr": "10.211.55.28"."server":true."connect": {"enabled":true
    },
    "node_name":"consul-server1"."data_dir":"/opt/consul/data/"."enable_script_checks":false."enable_local_script_checks":true."log_file":"/opt/consul/log/"."log_level":"info"."log_rotate_bytes": 100000000,"log_rotate_duration":"24h"."encrypt":"krCysDJnrQ8dtA7AbJav8g=="."acl": {"enabled":true."default_policy":"deny"."enable_token_persistence":true."tokens": {"master":"cd76a0f7-5535-40cc-8696-073462acc6c7"}}}Copy the code

consul-server2.json

{"datacenter":" DC1 ", "primary_datacenter":" DC1 ", "advertise_ADDR ":" 10.211.55.25", "bind_addr": "10.211.55.25", "server":true, "connect":{"enabled":true}, "node_name":"consul-server2", "data_dir":"/opt/consul/data/", "enable_script_checks":false, "enable_local_script_checks":true, "log_file":"/opt/consul/log/", "log_level":"info", "log_rotate_bytes":100000000, "log_rotate_duration":"24h", "encrypt":"krCysDJnrQ8dtA7AbJav8g==", "acl":{ "enabled":true, "default_policy":"deny", "enable_token_persistence":true, "tokens":{ "master":"cd76a0f7-5535-40cc-8696-073462acc6c7" } } }Copy the code

consul-server3.json

{
    "datacenter":"dc1"."primary_datacenter":"dc1"."advertise_addr":"10.211.55.26"."bind_addr":"10.211.55.26"."server":true."connect": {"enabled":true
    },
    "node_name":"consul-server3"."data_dir":"/opt/consul/data/"."enable_script_checks":false."enable_local_script_checks":true."log_file":"/opt/consul/log/"."log_level":"info"."log_rotate_bytes": 100000000,"log_rotate_duration":"24h"."encrypt":"krCysDJnrQ8dtA7AbJav8g=="."acl": {"enabled":true."default_policy":"deny"."enable_token_persistence":true."tokens": {"master":"cd76a0f7-5535-40cc-8696-073462acc6c7"}}}Copy the code

You can see that the configurations of Consul-server2 and consul-server3 are similar except that the IP address and port have been changed. In addition, Consul -server1 is mainly configured to start connections and retry connections. Next, start the cluster: Run the command on host 10.2111.55.25 (node2),./consul agent-config-file start-conf/consul-server2.json Run the command on host 10.2111.55.26 (node3), Json Run on host 10.2111.55.28 (node1)./consul agent-config-file start-conf/consul-server3.json ./consul agent -config-file start-conf/consul-server1.json

3. Generate and configure agent-token to resolve the server Agent ACL block problem

When the above statement completes, it will be found that the coordination update is blocked due to the ACL. The diagram below:

Execute the following statement on any server to generate agent-token:

curl \ --request PUT \ --header "X-Consul-Token: cd76a0f7-5535-40cc-8696-073462acc6c7" \ --data \ '{ "Name": "Agent Token", "Type": "client", "Rules": Node \ \ "{policy = \}" write \ "service \" \ "= {policy \" read \ "} "} 'http://127.0.0.1:8500/v1/acl/createCopy the code

The generated Agent-Token is returned

"acl": {"enabled":true."default_policy":"deny"."enable_token_persistence":true."tokens": {"master":"cd76a0f7-5535-40cc-8696-073462acc6c7"."agent":"deaa315d-98c5-b9f6-6519-4c8f6574a551"}}Copy the code

That is, the agent configuration is added.

Then restart each server agent on machine 10.2111.55.25 (node2). Json Run on host 10.2111.55.26 (node3)./consul agent-config-file start-conf/consul-server2.json Json Run on host 10.2111.55.28 (node1)./consul agent-config-file start-conf/consul-server3.json ./consul agent -config-file start-conf/consul-server1.json

After the server Agent cluster stabilizes, the ACL block is resolved.

4. Start a client Agent with the UI

{
    "datacenter":"dc1"."primary_datacenter":"dc1"."advertise_addr": "10.211.55.27"."start_join": ["10.211.55.25"."10.211.55.26"."10.211.55.28"]."retry_join": ["10.211.55.25"."10.211.55.26"."10.211.55.28"]."bind_addr":"10.211.55.27"."node_name":"consul-client1"."client_addr":"0.0.0.0"."connect": {"enabled":true
    },
    "data_dir":"/opt/consul/data/"."log_file":"/opt/consul/log/"."log_level":"info"."log_rotate_bytes": 100000000,"log_rotate_duration":"24h"."encrypt":"krCysDJnrQ8dtA7AbJav8g=="."ui":true."enable_script_checks":false."enable_local_script_checks":true."disable_remote_exec":true."ports": {"http": 7110}."acl": {"enabled":true."default_policy":"deny"."enable_token_persistence":true."tokens": {"agent":"deaa315d-98c5-b9f6-6519-4c8f6574a551"}}}Copy the code

The above configuration mainly has more UI, indicating a Web-UI (which can be viewed in a browser). In addition, the Agent token generated in step 3 is also set. Run the./consul agent-config-file start-conf/consul-client1.json command on host 10.2111.55.27 (node4)

5. Configure environment variables.

After some configuration in front, I thought I had done all things, just want to touch their handsome hair. }}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}

Add the following to all server environment variables: vim /etc/profile

export CONSUL_HTTP_TOKEN=cd76a0f7-5535-40cc-8696-073462acc6c7
Copy the code

Then, source /etc/profile. For your convenience, I have set the maximum permission on master_token to be found./ Consul members Data is available

2. Set environment variables for the Client Agent

#consul http-token
export CONSUL_HTTP_TOKEN=cd76a0f7-5535-40cc-8696-073462acc6c7
#only consul-client1 need, because http port has changed to 7110
exportCONSUL_HTTP_ADDR = 127.0.0.1:7110Copy the code

In this case, the discovery is executed on client Agent./ Consul Members is also ok.

6. Set the master_token for the Web-UI

On the client-agent, enter 127.0.0.1:7110, click ACL, and enter master-token. The diagram below:

7. Refer to the article

www.consul.io/docs/acl/ac…

www.consul.io/docs/agent/…

www.consul.io/docs/comman…

The article will be sent to wechat as soon as possible. Please pay attention to my wechat public account, so that we can exchange and learn together