From ee14aa2781e83ee299c53e223dd8c1c129b49782 Mon Sep 17 00:00:00 2001 From: Diptanu Choudhury Date: Wed, 25 Nov 2015 13:39:16 -0800 Subject: [PATCH 1/8] Added options for adding more consul configuration --- client/client.go | 40 ++++++++++++++++++++++++++-------------- client/consul.go | 36 +++++++++++++++++++++++++++++++++++- client/consul_test.go | 2 +- 3 files changed, 62 insertions(+), 16 deletions(-) diff --git a/client/client.go b/client/client.go index 39a9188de650..7ed4b7f1a050 100644 --- a/client/client.go +++ b/client/client.go @@ -98,22 +98,19 @@ func NewClient(cfg *config.Config) (*Client, error) { // Create a logger logger := log.New(cfg.LogOutput, "", log.LstdFlags) - // Create the consul service - consulAddr := cfg.ReadDefault("consul.address", "127.0.0.1:8500") - consulService, err := NewConsulService(logger, consulAddr) - if err != nil { - return nil, fmt.Errorf("failed to create the consul client: %v", err) - } - // Create the client c := &Client{ - config: cfg, - start: time.Now(), - consulService: consulService, - connPool: nomad.NewPool(cfg.LogOutput, clientRPCCache, clientMaxStreams, nil), - logger: logger, - allocs: make(map[string]*AllocRunner), - shutdownCh: make(chan struct{}), + config: cfg, + start: time.Now(), + connPool: nomad.NewPool(cfg.LogOutput, clientRPCCache, clientMaxStreams, nil), + logger: logger, + allocs: make(map[string]*AllocRunner), + shutdownCh: make(chan struct{}), + } + + // Setup the Consul Service + if err := c.setupConsulService(); err != nil { + return nil, fmt.Errorf("failed to create the consul service: %v", err) } // Initialize the client @@ -152,6 +149,21 @@ func NewClient(cfg *config.Config) (*Client, error) { return c, nil } +func (c *Client) setupConsulService() error { + var consulService *ConsulService + var err error + addr := c.config.ReadDefault("consul.address", "127.0.0.1:8500") + token := c.config.Read("consul.token") + auth := c.config.Read("consul.auth") + enableSSL := c.config.ReadBoolDefault("consul.ssl", false) + verifySSL := c.config.ReadBoolDefault("consul.verifyssl", false) + if consulService, err = NewConsulService(c.logger, addr, token, auth, enableSSL, verifySSL); err != nil { + return err + } + c.consulService = consulService + return nil +} + // init is used to initialize the client and perform any setup // needed before we begin starting its various components. func (c *Client) init() error { diff --git a/client/consul.go b/client/consul.go index d60c0d744ec0..3bb92e45468e 100644 --- a/client/consul.go +++ b/client/consul.go @@ -1,9 +1,12 @@ package client import ( + "crypto/tls" "fmt" "log" + "net/http" "net/url" + "strings" "sync" "time" @@ -53,11 +56,42 @@ type ConsulService struct { trackedTskLock sync.Mutex } -func NewConsulService(logger *log.Logger, consulAddr string) (*ConsulService, error) { +func NewConsulService(logger *log.Logger, consulAddr string, token string, + auth string, enableSSL bool, verifySSL bool) (*ConsulService, error) { var err error var c *consul.Client cfg := consul.DefaultConfig() cfg.Address = consulAddr + if token != "" { + cfg.Token = token + } + + if auth != "" { + var username, password string + if strings.Contains(auth, ":") { + split := strings.SplitN(auth, ":", 2) + username = split[0] + password = split[1] + } else { + username = auth + } + + cfg.HttpAuth = &consul.HttpBasicAuth{ + Username: username, + Password: password, + } + } + if enableSSL { + cfg.Scheme = "https" + } + if enableSSL && !verifySSL { + cfg.HttpClient.Transport = &http.Transport{ + TLSClientConfig: &tls.Config{ + InsecureSkipVerify: true, + }, + } + + } if c, err = consul.NewClient(cfg); err != nil { return nil, err } diff --git a/client/consul_test.go b/client/consul_test.go index 901b655f171a..c4cc2fe2e28e 100644 --- a/client/consul_test.go +++ b/client/consul_test.go @@ -10,7 +10,7 @@ import ( func newConsulService() *ConsulService { logger := log.New(os.Stdout, "logger: ", log.Lshortfile) - c, _ := NewConsulService(logger, "") + c, _ := NewConsulService(logger, "", "", "", false, false) return c } From 11039cd3cb6c55d9be3e2b83c5d69f4805126026 Mon Sep 17 00:00:00 2001 From: Diptanu Choudhury Date: Wed, 25 Nov 2015 13:49:31 -0800 Subject: [PATCH 2/8] Added docs for consul options --- website/source/docs/agent/config.html.md | 14 ++++++++++++++ .../docs/jobspec/servicediscovery.html.md | 17 +++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/website/source/docs/agent/config.html.md b/website/source/docs/agent/config.html.md index 99c66545f164..4104fad3fb82 100644 --- a/website/source/docs/agent/config.html.md +++ b/website/source/docs/agent/config.html.md @@ -231,6 +231,20 @@ documentation [here](/docs/drivers/index.html) `host:port`. The default is the same as the Consul default address, `127.0.0.1:8500`. +* `consul.token`: Token is used to provide a per-request ACL token.This options + overrides the agent's default token + + +* `consul.auth`: The auth information to use for http access to the Consul + Agent. + +* `consul.ssl`: This boolean option sets the transport scheme to talk to the Consul + Agent as `https`. This option is unset by default and so the default transport + scheme for the consul api client is `http`. + +* `consul.verifyssl`: This option disables SSL verification when the transport + scheme for the Consul API client is `https`. This is set to true by default. + * `driver.whitelist`: A comma seperated list of whitelisted drivers (e.g. "docker,qemu"). If specified, drivers not in the whitelist will be disabled. If the whitelist is empty, all drivers are fingerprinted and enabled where diff --git a/website/source/docs/jobspec/servicediscovery.html.md b/website/source/docs/jobspec/servicediscovery.html.md index 87245c136ffd..9c1ae3e4d00d 100644 --- a/website/source/docs/jobspec/servicediscovery.html.md +++ b/website/source/docs/jobspec/servicediscovery.html.md @@ -24,6 +24,23 @@ Nomad does not currently run Consul for you. override the default Consul Agent HTTP port that Nomad uses to connect to Consul. The default for this is `127.0.0.1:8500`. +* `consul.ssl`: This boolean option sets the transport scheme to talk to the Consul + Agent as `https`. This option is unset by default and so the default transport + scheme for the consul api client is `http`. + +* `consul.verifyssl`: This option disables SSL verification when the transport + scheme for the Consul API client is `https`. This is set to true by default. + +* `driver.whitelist`: A comma seperated list of whitelisted drivers (e.g. + "docker,qemu"). If specified, drivers not in the whitelist will be disabled. + If the whitelist is empty, all drivers are fingerprinted and enabled where + applicable. + +* `fingerprint.whitelist`: A comma seperated list of whitelisted fingerprinters. + If specified, fingerprinters not in the whitelist will be disabled. If the + whitelist is empty, all fingerprinters are used. + + ## Service Definition Syntax The service blocks in a Task definition defines a service which Nomad will From 61e386c5c94152290ca76679e484c34139bc7803 Mon Sep 17 00:00:00 2001 From: Diptanu Choudhury Date: Wed, 25 Nov 2015 13:56:25 -0800 Subject: [PATCH 3/8] Fixed some spellings in old docs --- website/source/docs/jobspec/servicediscovery.html.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/website/source/docs/jobspec/servicediscovery.html.md b/website/source/docs/jobspec/servicediscovery.html.md index 9c1ae3e4d00d..7694442e436b 100644 --- a/website/source/docs/jobspec/servicediscovery.html.md +++ b/website/source/docs/jobspec/servicediscovery.html.md @@ -31,12 +31,12 @@ Nomad does not currently run Consul for you. * `consul.verifyssl`: This option disables SSL verification when the transport scheme for the Consul API client is `https`. This is set to true by default. -* `driver.whitelist`: A comma seperated list of whitelisted drivers (e.g. +* `driver.whitelist`: A comma separated list of whitelisted drivers (e.g. "docker,qemu"). If specified, drivers not in the whitelist will be disabled. If the whitelist is empty, all drivers are fingerprinted and enabled where applicable. -* `fingerprint.whitelist`: A comma seperated list of whitelisted fingerprinters. +* `fingerprint.whitelist`: A comma separated list of whitelisted fingerprinters. If specified, fingerprinters not in the whitelist will be disabled. If the whitelist is empty, all fingerprinters are used. From 402c355e0a6cf57a51617b1ce6c6cd36587207f4 Mon Sep 17 00:00:00 2001 From: Diptanu Choudhury Date: Wed, 25 Nov 2015 13:58:11 -0800 Subject: [PATCH 4/8] Moved some docs around --- website/source/docs/agent/config.html.md | 1 - website/source/docs/jobspec/servicediscovery.html.md | 6 ++++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/website/source/docs/agent/config.html.md b/website/source/docs/agent/config.html.md index 4104fad3fb82..cfc3f4789b6a 100644 --- a/website/source/docs/agent/config.html.md +++ b/website/source/docs/agent/config.html.md @@ -234,7 +234,6 @@ documentation [here](/docs/drivers/index.html) * `consul.token`: Token is used to provide a per-request ACL token.This options overrides the agent's default token - * `consul.auth`: The auth information to use for http access to the Consul Agent. diff --git a/website/source/docs/jobspec/servicediscovery.html.md b/website/source/docs/jobspec/servicediscovery.html.md index 7694442e436b..b89d9de1f2cd 100644 --- a/website/source/docs/jobspec/servicediscovery.html.md +++ b/website/source/docs/jobspec/servicediscovery.html.md @@ -24,6 +24,12 @@ Nomad does not currently run Consul for you. override the default Consul Agent HTTP port that Nomad uses to connect to Consul. The default for this is `127.0.0.1:8500`. +* `consul.token`: Token is used to provide a per-request ACL token.This options + overrides the agent's default token + +* `consul.auth`: The auth information to use for http access to the Consul + Agent. + * `consul.ssl`: This boolean option sets the transport scheme to talk to the Consul Agent as `https`. This option is unset by default and so the default transport scheme for the consul api client is `http`. From 7e9554f3dd64497b6852e8642041345a1e9a0cfd Mon Sep 17 00:00:00 2001 From: Diptanu Choudhury Date: Wed, 25 Nov 2015 14:37:38 -0800 Subject: [PATCH 5/8] Removed redundant doc --- website/source/docs/jobspec/servicediscovery.html.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/website/source/docs/jobspec/servicediscovery.html.md b/website/source/docs/jobspec/servicediscovery.html.md index b89d9de1f2cd..d0a8cfade2d5 100644 --- a/website/source/docs/jobspec/servicediscovery.html.md +++ b/website/source/docs/jobspec/servicediscovery.html.md @@ -42,10 +42,6 @@ Nomad does not currently run Consul for you. If the whitelist is empty, all drivers are fingerprinted and enabled where applicable. -* `fingerprint.whitelist`: A comma separated list of whitelisted fingerprinters. - If specified, fingerprinters not in the whitelist will be disabled. If the - whitelist is empty, all fingerprinters are used. - ## Service Definition Syntax From eedc99ccdaf21266ffff8e7a5fc16f23054e5ce4 Mon Sep 17 00:00:00 2001 From: Diptanu Choudhury Date: Wed, 25 Nov 2015 14:45:28 -0800 Subject: [PATCH 6/8] Fixed the build --- client/task_runner_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/client/task_runner_test.go b/client/task_runner_test.go index ae9a2c4c5091..4557b6b55303 100644 --- a/client/task_runner_test.go +++ b/client/task_runner_test.go @@ -32,7 +32,7 @@ func testTaskRunner(restarts bool) (*MockTaskStateUpdater, *TaskRunner) { upd := &MockTaskStateUpdater{} alloc := mock.Alloc() task := alloc.Job.TaskGroups[0].Tasks[0] - consulClient, _ := NewConsulService(logger, "127.0.0.1:8500") + consulClient, _ := NewConsulService(logger, "127.0.0.1:8500", "", "", false, false) // Initialize the port listing. This should be done by the offer process but // we have a mock so that doesn't happen. task.Resources.Networks[0].ReservedPorts = []structs.Port{{"", 80}} @@ -164,7 +164,7 @@ func TestTaskRunner_SaveRestoreState(t *testing.T) { } // Create a new task runner - consulClient, _ := NewConsulService(tr.logger, "127.0.0.1:8500") + consulClient, _ := NewConsulService(tr.logger, "127.0.0.1:8500", "", "", false, false) tr2 := NewTaskRunner(tr.logger, tr.config, upd.Update, tr.ctx, tr.allocID, &structs.Task{Name: tr.task.Name}, tr.state, tr.restartTracker, consulClient) From 6fdedac785081d29b77b9f4cae50724c08c41a3b Mon Sep 17 00:00:00 2001 From: Diptanu Choudhury Date: Wed, 25 Nov 2015 14:47:11 -0800 Subject: [PATCH 7/8] Removed fingerprint docs from Service Discovery docs --- website/source/docs/jobspec/servicediscovery.html.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/website/source/docs/jobspec/servicediscovery.html.md b/website/source/docs/jobspec/servicediscovery.html.md index d0a8cfade2d5..4bb6062e8f64 100644 --- a/website/source/docs/jobspec/servicediscovery.html.md +++ b/website/source/docs/jobspec/servicediscovery.html.md @@ -37,11 +37,6 @@ Nomad does not currently run Consul for you. * `consul.verifyssl`: This option disables SSL verification when the transport scheme for the Consul API client is `https`. This is set to true by default. -* `driver.whitelist`: A comma separated list of whitelisted drivers (e.g. - "docker,qemu"). If specified, drivers not in the whitelist will be disabled. - If the whitelist is empty, all drivers are fingerprinted and enabled where - applicable. - ## Service Definition Syntax From eaea4f68003172979b20fda91d3822017c9dfe8c Mon Sep 17 00:00:00 2001 From: Diptanu Choudhury Date: Wed, 25 Nov 2015 14:54:52 -0800 Subject: [PATCH 8/8] Fixed the alloc runner test --- client/alloc_runner_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/client/alloc_runner_test.go b/client/alloc_runner_test.go index d5228386546d..6b49fcb533f9 100644 --- a/client/alloc_runner_test.go +++ b/client/alloc_runner_test.go @@ -31,7 +31,7 @@ func testAllocRunner(restarts bool) (*MockAllocStateUpdater, *AllocRunner) { conf.AllocDir = os.TempDir() upd := &MockAllocStateUpdater{} alloc := mock.Alloc() - consulClient, _ := NewConsulService(logger, "127.0.0.1:8500") + consulClient, _ := NewConsulService(logger, "127.0.0.1:8500", "", "", false, false) if !restarts { alloc.Job.Type = structs.JobTypeBatch *alloc.Job.LookupTaskGroup(alloc.TaskGroup).RestartPolicy = structs.RestartPolicy{Attempts: 0} @@ -142,7 +142,7 @@ func TestAllocRunner_SaveRestoreState(t *testing.T) { } // Create a new alloc runner - consulClient, err := NewConsulService(ar.logger, "127.0.0.1:8500") + consulClient, err := NewConsulService(ar.logger, "127.0.0.1:8500", "", "", false, false) ar2 := NewAllocRunner(ar.logger, ar.config, upd.Update, &structs.Allocation{ID: ar.alloc.ID}, consulClient) err = ar2.RestoreState()