Improve bridge networking story with Connect Native tasks #8290

shoenig · 2020-06-25T19:01:28Z

Nomad v0.12.0 introduces support for running Connect Native tasks, but basically recommends the use of host networking due to the necessity of the Connect Native Application being able to reach the Consul agent associated with the Nomad Client agent. With no extra configuration, attempting to use bridge networking will result in connectivity errors such as

2020-06-24T21:15:00.879Z [ERROR] connect.watch: Watch errored: service=uuid-api type=connect_leaf error="Get "http://127.0.0.1:8500/v1/agent/connect/ca/leaf/uuid-api": dial tcp 127.0.0.1:8500: connect: connection refused" retry=5s

It is possible to plumb around the network namespace created for bridge networking, for example using Consul's support for creating a Unix socket address listener and Nomad's host volume mounts:

consul agent config

addresses {
  http = "127.0.0.1 unix:///tmp/consul/consul.socket"
}

nomad agent config

client {
  host_volume "consul" {
    path = "/tmp/consul"
    read_only = false
  }
}

nomad job config

group "group" {
  network {
    mode = "bridge"
  }

  volume "consul" {
    type      = "host"
    read_only = false
    source    = "consul"
  }

  task "task" {
    volume_mount {
      volume      = "consul"
      destination = "/consul"
    }

    env {
      CONSUL_HTTP_ADDR = "unix:///consul/consul.socket"
    }
  }
}

However manually volume mounting a unix socket into each task isn't a great user experience. Similar to the way the grpc_sock hook works for the Envoy -> xDS Consul bidirectional unix socket, we could look into establishing a Consul HTTP proxy over unix socket for native tasks managed by the Nomad Client agent.

The text was updated successfully, but these errors were encountered:

…asks Before, Connect Native Tasks needed one of these to work: - To be run in host networking mode - To have the Consul agent configured to listen to a unix socket - To have the Consul agent configured to listen to a public interface None of these are a great experience, though running in host networking is still the best solution for non-Linux hosts. This PR establishes a connection proxy between the Consul HTTP listener and a unix socket inside the alloc fs, bypassing the network namespace for any Connect Native task. Similar to and re-uses a bunch of code from the gRPC listener version for envoy sidecar proxies. Proxy is established only if the alloc is configured for bridge networking and there is at least one Connect Native task in the Task Group. Fixes #8290

github-actions · 2022-11-04T02:37:51Z

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

shoenig added theme/consul/connect Consul Connect integration type/enhancement labels Jun 25, 2020

shoenig self-assigned this Jul 13, 2020

shoenig mentioned this issue Jul 15, 2020

consul/connect: add support for bridge networks with connect native tasks #8443

Merged

shoenig closed this as completed in #8443 Jul 29, 2020

shoenig mentioned this issue Aug 10, 2020

docs: add cl entry for connect native bridge mode #8624

Merged

github-actions bot locked as resolved and limited conversation to collaborators Nov 4, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Improve bridge networking story with Connect Native tasks #8290

Improve bridge networking story with Connect Native tasks #8290

shoenig commented Jun 25, 2020

github-actions bot commented Nov 4, 2022

Improve bridge networking story with Connect Native tasks #8290

Improve bridge networking story with Connect Native tasks #8290

Comments

shoenig commented Jun 25, 2020

consul agent config

nomad agent config

nomad job config

github-actions bot commented Nov 4, 2022