-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] Implement Consul Backend #767
Conversation
Can one of the admins verify this patch? |
thanks for giving it a try. One question I have - have you considered using sessions to achieve TTL semantics instead of custom implementation? I haven't used sessions for TTL myself, may be someone from consul team can give us advice. Regarding your questions:
We have an acceptance test suite used for all backends here: https://github.com/gravitational/teleport/blob/master/lib/backend/test/suite.go See for example how we use it for Etcd: https://github.com/gravitational/teleport/blob/master/lib/backend/etcdbk/etcd_test.go
To properly add it, in your $GOPATH (caution this command updates your workspace!!!) # this is to align your dependencies with teleport's ones
cd teleport
godep restore Then
|
I would definitely suggest you take a look at the Personally I've had a love hate relationship with consul sessions when dealing with them directly in the past. It is an interesting spin on how to expire key/value pairs vs the more traditional TTL on a specific key/value pair. Ultimately you have to first create a session and then any key/value pairs you create you have to reference that session. That session then should either be maintained for the duration or closed out. Note: DO NOT create a session for every key/value pair, this will overwhelm any consul cluster and it is not how the sessions are designed to work. |
I have not. I'm reaching out to my Hashicorp connection to see if I can get the relevant questions answered.
Ok awesome
Ok awesome, I may have further questions related to running it, but I'll give it a try.
Done, thanks.
Will do.
I'm not against this, but this is absolutely not my call and I cannot justify the needed time for it. I want to be able to try out Teleport at work, and simply having consul support is what is needed.
Thank you so much for this information, I did not know all of this and Hashicorp's docs are lacking. I will take a look at libkv's consul implementation, but I am uncertain at this time how I can use sessions for TTL in the way Teleport expects. |
FWIW @ajvb it might be easiest to just use libkv to do the consul backend in this PR, and once it is in, other backends can start to migrate to it. Just a thought. |
@ekristen Looking at libkv, I am actually becoming fond of that idea. Would definitely make this implementation a lot simpler. Let give that a shot. |
@ekristen thanks for your concern about using sessions for TTL, looking at this: https://github.com/docker/libkv/blob/master/store/consul/consul.go#L203 So it seems that library does exactly what you are suggesting not to do. I made several attempts at using libkv, but then backed off, to use it as a generic implementation backend mostly because I had different approaches to various backends. |
@ajvb so here's the plan:
|
Caveat: it depends on how many keys you are doing and my experience was with Node.JS not golang, so there could be a difference in how things were implemented. I will say that docker uses libkv with swarm and using consul as a backend and I have not seen problems with it. When I suggest it not be done, it was definitely in reaction to doing thousands of writes/reads per minute which depending on session length can cause many many sessions to be created. Here is some information on the session implementation hashicorp/consul#524 |
Looking at the code you referenced, it looks like it will attempt to re-use an existing session should it be available before it tries to create a new one. |
One more thing to note, sorry for the multiple comments ... I have this branch that I haven't opened a pull request on yet that enables using Consul ACL tokens |
@klizhentas Sounds good. Shot off an email to my Hashicorp AE (we have an enterprise account with them), so hopefully I can get answers by Tuesday or so. |
awesome @ajvb I will be glad to assist you with testing/updating/reviewing PR, looking forward to getting it merged! |
@klizhentas Do we have numbers for "scope and scale of key/value or session usage"? What is an expected number of sessions to be created within an hour or a day for sessions-per-kvpair? |
@ajvb sessions are used when people SSH into boxes. So... the answer is number of employees x number of SSH sessions an average employee does per second ;) The highest pressure point for the key/value subsystem is actually server pings. the auth server will call "upsert()" on every node in a cluster every 30 seconds AFAIK. So for a 1,000 node clusters expect 33 upserts per second. |
@kontsevoy Server pings and when a user ssh's into a server are the only times a new K/V pair is added to the backend? |
@ajvb There are other keys stored in the DB (like certificate authorities and users) but the amount of writes is negligible compared to the scenarios mentioned by @kontsevoy |
What I told them:
Response from Hashicorp Support:
👍 🎉 💃 I should have some time this week to swap my custom sessions implementation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ajvb then we have it all cleared, let me know once you are ready and I will review and test |
@klizhentas So I have a fun problem. If you go to https://www.consul.io/docs/agent/http/session.html#session_create and look at the TTL parameter, you will see this line:
The current test suite uses sessions with a TTL of 1 second and 2 second, which totally blows up. If shorter than 10s TTL's is a requirement then we will need to go back to using the embedded TTL like BoltDB. |
@ajvb 1 sec TTL is just for test, you can adjust for consul if that's a problem. We never really use anything less than 30 sec in prod anyways |
@ajvb I'm going to close this due to the lack of activity. Feel free to reopen if you get a chance to work on it. |
so i know this was closed because of inactivity, but any chance we want to revisit getting this working? |
This is an initial attempt at a consul backend for Teleport.
It's heavily based off of the existing etcd backend, with the main difference of borrowing the TTL logic of the boltdb backend.
Initial Questions:
I haven't used godeps in a while, how do I properly addgh.neting.cc/hashicorp/consul/api
to it?Fixes #423