From 87c85191b39f658d5fbe8ea21ea026509d89a2dd Mon Sep 17 00:00:00 2001 From: James Phillips Date: Sat, 15 Jul 2017 00:15:12 -0700 Subject: [PATCH 1/7] Adds new config to make script checks opt-in, updates documentation. Fixes #3087. --- agent/agent.go | 11 +++++-- agent/agent_test.go | 31 +++++++++++++++++++ agent/config.go | 7 +++++ agent/config_test.go | 5 +++ agent/consul/structs/check_type.go | 5 +++ agent/testagent.go | 1 + command/agent.go | 1 + testutil/server.go | 4 ++- website/source/docs/agent/checks.html.md | 28 +++++++++++------ website/source/docs/agent/options.html.md | 9 ++++++ website/source/docs/guides/acl.html.md | 8 +++++ .../source/intro/getting-started/join.html.md | 4 +-- 12 files changed, 99 insertions(+), 15 deletions(-) diff --git a/agent/agent.go b/agent/agent.go index e81b91fc31b1..7ba7379a88f1 100644 --- a/agent/agent.go +++ b/agent/agent.go @@ -1595,8 +1595,15 @@ func (a *Agent) AddCheck(check *structs.HealthCheck, chkType *structs.CheckType, if check.CheckID == "" { return fmt.Errorf("CheckID missing") } - if chkType != nil && !chkType.Valid() { - return fmt.Errorf("Check type is not valid") + + if chkType != nil { + if !chkType.Valid() { + return fmt.Errorf("Check type is not valid") + } + + if chkType.IsExec() && !a.config.CheckEnableExec { + return fmt.Errorf("Check types that exec scripts are disabled on this agent") + } } if check.ServiceID != "" { diff --git a/agent/agent_test.go b/agent/agent_test.go index 97f772cf4126..457b232f4f39 100644 --- a/agent/agent_test.go +++ b/agent/agent_test.go @@ -797,6 +797,37 @@ func TestAgent_AddCheck_RestoreState(t *testing.T) { } } +func TestAgent_AddCheck_ExecDisable(t *testing.T) { + t.Parallel() + + cfg := TestConfig() + cfg.CheckEnableExec = false + + a := NewTestAgent(t.Name(), cfg) + defer a.Shutdown() + + health := &structs.HealthCheck{ + Node: "foo", + CheckID: "mem", + Name: "memory util", + Status: api.HealthCritical, + } + chk := &structs.CheckType{ + Script: "exit 0", + Interval: 15 * time.Second, + } + err := a.AddCheck(health, chk, false, "") + if err == nil || !strings.Contains(err.Error(), "exec scripts are disabled on this agent") { + t.Fatalf("err: %v", err) + } + + // Ensure we don't have a check mapping + _, ok := a.state.Checks()["mem"] + if ok { + t.Fatalf("should be missing mem check") + } +} + func TestAgent_RemoveCheck(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), nil) diff --git a/agent/config.go b/agent/config.go index 34506c6712a0..ef9a9ffea250 100644 --- a/agent/config.go +++ b/agent/config.go @@ -625,6 +625,10 @@ type Config struct { // true, we ignore the leave, and rejoin the cluster on start. RejoinAfterLeave bool `mapstructure:"rejoin_after_leave"` + // CheckEnableExec controls whether health checks which execute scripts + // are enabled. This includes regular script checks and Docker checks. + CheckEnableExec bool `mapstructure:"check_enable_exec"` + // CheckUpdateInterval controls the interval on which the output of a health check // is updated if there is no change to the state. For example, a check in a steady // state may run every 5 second generating a unique output (timestamp, etc), forcing @@ -1932,6 +1936,9 @@ func MergeConfig(a, b *Config) *Config { if b.DNSConfig.RecursorTimeout != 0 { result.DNSConfig.RecursorTimeout = b.DNSConfig.RecursorTimeout } + if b.CheckEnableExec { + result.CheckEnableExec = true + } if b.CheckUpdateIntervalRaw != "" || b.CheckUpdateInterval != 0 { result.CheckUpdateInterval = b.CheckUpdateInterval } diff --git a/agent/config_test.go b/agent/config_test.go index e4f0b16aab72..b83c2c1c0180 100644 --- a/agent/config_test.go +++ b/agent/config_test.go @@ -217,6 +217,10 @@ func TestDecodeConfig(t *testing.T) { in: `{"ca_path":"a"}`, c: &Config{CAPath: "a"}, }, + { + in: `{"check_enable_exec":true}`, + c: &Config{CheckEnableExec: true}, + }, { in: `{"check_update_interval":"2s"}`, c: &Config{CheckUpdateInterval: 2 * time.Second, CheckUpdateIntervalRaw: "2s"}, @@ -1363,6 +1367,7 @@ func TestMergeConfig(t *testing.T) { ReconnectTimeoutLan: 24 * time.Hour, ReconnectTimeoutWanRaw: "36h", ReconnectTimeoutWan: 36 * time.Hour, + CheckEnableExec: true, CheckUpdateInterval: 8 * time.Minute, CheckUpdateIntervalRaw: "8m", ACLToken: "1111", diff --git a/agent/consul/structs/check_type.go b/agent/consul/structs/check_type.go index 07e7007b6184..5ea9f8197894 100644 --- a/agent/consul/structs/check_type.go +++ b/agent/consul/structs/check_type.go @@ -47,6 +47,11 @@ func (c *CheckType) Valid() bool { return c.IsTTL() || c.IsMonitor() || c.IsHTTP() || c.IsTCP() || c.IsDocker() } +// IsExec checks if this is a check that execs some kind of script. +func (c *CheckType) IsExec() bool { + return c.Script != "" +} + // IsTTL checks if this is a TTL type func (c *CheckType) IsTTL() bool { return c.TTL != 0 diff --git a/agent/testagent.go b/agent/testagent.go index cf5d98c4db77..91f24ff4f4a5 100644 --- a/agent/testagent.go +++ b/agent/testagent.go @@ -314,6 +314,7 @@ func TestConfig() *Config { cfg.Datacenter = "dc1" cfg.Bootstrap = true cfg.Server = true + cfg.CheckEnableExec = true ccfg := consul.DefaultConfig() cfg.ConsulConfig = ccfg diff --git a/command/agent.go b/command/agent.go index 3a0aeb4d2037..222b7e69d001 100644 --- a/command/agent.go +++ b/command/agent.go @@ -80,6 +80,7 @@ func (cmd *AgentCommand) readConfig() *agent.Config { "A unique ID for this node across space and time. Defaults to a randomly-generated ID"+ " that persists in the data-dir.") + f.BoolVar(&cmdCfg.CheckEnableExec, "check-enable-exec", false, "Enables health check scripts.") var disableHostNodeID configutil.BoolValue f.Var(&disableHostNodeID, "disable-host-node-id", "Setting this to true will prevent Consul from using information from the"+ diff --git a/testutil/server.go b/testutil/server.go index 3cb959a47af4..aead8def381d 100644 --- a/testutil/server.go +++ b/testutil/server.go @@ -86,6 +86,7 @@ type TestServerConfig struct { VerifyIncomingRPC bool `json:"verify_incoming_rpc,omitempty"` VerifyIncomingHTTPS bool `json:"verify_incoming_https,omitempty"` VerifyOutgoing bool `json:"verify_outgoing,omitempty"` + CheckEnableExec bool `json:"check_enable_exec,omitempty"` ReadyTimeout time.Duration `json:"-"` Stdout, Stderr io.Writer `json:"-"` Args []string `json:"-"` @@ -124,7 +125,8 @@ func defaultServerConfig() *TestServerConfig { Server: randomPort(), RPC: randomPort(), }, - ReadyTimeout: 10 * time.Second, + CheckEnableExec: true, + ReadyTimeout: 10 * time.Second, } } diff --git a/website/source/docs/agent/checks.html.md b/website/source/docs/agent/checks.html.md index b4676fed3f7c..0f17822f6404 100644 --- a/website/source/docs/agent/checks.html.md +++ b/website/source/docs/agent/checks.html.md @@ -24,7 +24,9 @@ There are five different kinds of checks: a script check is limited to 4K. Output larger than this will be truncated. By default, Script checks will be configured with a timeout equal to 30 seconds. It is possible to configure a custom Script check timeout value by specifying the - `timeout` field in the check definition. + `timeout` field in the check definition. In Consul 0.9.0 and later, the agent + must be configured with [`check_enable_exec`](/docs/agent/options.html#_check_enable_exec) + set to `true` in order to enable script checks. * HTTP + Interval - These checks make an HTTP `GET` request every Interval (e.g. every 30 seconds) to the specified URL. The status of the service depends on @@ -74,15 +76,17 @@ There are five different kinds of checks: valid through the end of the TTL from the time of the last check. * Docker + Interval - These checks depend on invoking an external application which -is packaged within a Docker Container. The application is triggered within the running -container via the Docker Exec API. We expect that the Consul agent user has access -to either the Docker HTTP API or the unix socket. Consul uses ```$DOCKER_HOST``` to -determine the Docker API endpoint. The application is expected to run, perform a health -check of the service running inside the container, and exit with an appropriate exit code. -The check should be paired with an invocation interval. The shell on which the check -has to be performed is configurable which makes it possible to run containers which -have different shells on the same host. Check output for Docker is limited to -4K. Any output larger than this will be truncated. + is packaged within a Docker Container. The application is triggered within the running + container via the Docker Exec API. We expect that the Consul agent user has access + to either the Docker HTTP API or the unix socket. Consul uses ```$DOCKER_HOST``` to + determine the Docker API endpoint. The application is expected to run, perform a health + check of the service running inside the container, and exit with an appropriate exit code. + The check should be paired with an invocation interval. The shell on which the check + has to be performed is configurable which makes it possible to run containers which + have different shells on the same host. Check output for Docker is limited to + 4K. Any output larger than this will be truncated. In Consul 0.9.0 and later, the agent + must be configured with [`check_enable_exec`](/docs/agent/options.html#_check_enable_exec) + set to `true` in order to enable script checks. ## Check Definition @@ -210,6 +214,10 @@ This is the only convention that Consul depends on. Any output of the script will be captured and stored in the `notes` field so that it can be viewed by human operators. +In Consul 0.9.0 and later, the agent must be configured with +[`check_enable_exec`](/docs/agent/options.html#_check_enable_exec) set to `true` +in order to enable script checks. + ## Initial Health Check Status By default, when checks are registered against a Consul agent, the state is set diff --git a/website/source/docs/agent/options.html.md b/website/source/docs/agent/options.html.md index 88e8df4b3839..40596ec86278 100644 --- a/website/source/docs/agent/options.html.md +++ b/website/source/docs/agent/options.html.md @@ -96,6 +96,12 @@ will exit with an error at startup. This is an IP address that should be reachable by all other LAN nodes in the cluster. By default, the value follows the same rules as [`-bind` command-line flag](#_bind), and if this is not specified, the `-bind` option is used. This is available in Consul 0.7.1 and later. +* `check-enable-exec` This + controls whether [health checks that execute scripts](/docs/agent/checks.html) are enabled on + this agent, and defaults to `false` so operators must opt-in to allowing these. If enabled, + it is recommended to [enable ACLs](/docs/guides/acl.html) as well to control which users are + allowed to register new checks to execute scripts. This was added in Consul 0.9.0. + * `-client` - The address to which Consul will bind client interfaces, including the HTTP and DNS servers. By default, this is "127.0.0.1", allowing only loopback connections. @@ -606,6 +612,9 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass PEM-encoded certificate. The certificate is provided to clients or servers to verify the agent's authenticity. It must be provided along with [`key_file`](#key_file). +* `check_enable_exec` Equivalent to the + [`-check-enable-exec` command-line flag](#_check_enable_exec). + * `check_update_interval` This interval controls how often check output from checks in a steady state is synchronized with the server. By default, this is diff --git a/website/source/docs/guides/acl.html.md b/website/source/docs/guides/acl.html.md index a2794fcd33bc..1554e1c41505 100644 --- a/website/source/docs/guides/acl.html.md +++ b/website/source/docs/guides/acl.html.md @@ -684,6 +684,10 @@ to use for registration events: [checks](/docs/agent/checks.html). Tokens may also be passed to the [HTTP API](/api/index.html) for operations that require them. +In addition to ACLs, in Consul 0.9.0 and later, the agent must be configured with +[`check_enable_exec`](/docs/agent/options.html#_check_enable_exec) set to `true` in order to enable +script checks. + #### Operator Rules The `operator` policy controls access to cluster-level operations in the @@ -866,6 +870,10 @@ to use for registration events: [checks](/docs/agent/checks.html). Tokens may also be passed to the [HTTP API](/api/index.html) for operations that require them. +In addition to ACLs, in Consul 0.9.0 and later, the agent must be configured with +[`check_enable_exec`](/docs/agent/options.html#_check_enable_exec) set to `true` in order to enable +script checks. + #### Session Rules The `session` policy controls access to [Session API](/api/session.html) operations. diff --git a/website/source/intro/getting-started/join.html.md b/website/source/intro/getting-started/join.html.md index 9169e87a4fea..71f40e51b709 100644 --- a/website/source/intro/getting-started/join.html.md +++ b/website/source/intro/getting-started/join.html.md @@ -81,7 +81,7 @@ All together, these settings yield a ```text vagrant@n1:~$ consul agent -server -bootstrap-expect=1 \ -data-dir=/tmp/consul -node=agent-one -bind=172.20.20.10 \ - -config-dir=/etc/consul.d + -check-enable-exec=true -config-dir=/etc/consul.d ... ``` @@ -102,7 +102,7 @@ All together, these settings yield a ```text vagrant@n2:~$ consul agent -data-dir=/tmp/consul -node=agent-two \ - -bind=172.20.20.11 -config-dir=/etc/consul.d + -bind=172.20.20.11 -check-enable-exec=true -config-dir=/etc/consul.d ... ``` From a3a4c5ba8e687ee161eb441537c797122115b410 Mon Sep 17 00:00:00 2001 From: James Phillips Date: Mon, 17 Jul 2017 10:00:14 -0700 Subject: [PATCH 2/7] Renames IsExec to IsScript. --- agent/agent.go | 2 +- agent/consul/structs/check_type.go | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/agent/agent.go b/agent/agent.go index 7ba7379a88f1..d87314fa5146 100644 --- a/agent/agent.go +++ b/agent/agent.go @@ -1601,7 +1601,7 @@ func (a *Agent) AddCheck(check *structs.HealthCheck, chkType *structs.CheckType, return fmt.Errorf("Check type is not valid") } - if chkType.IsExec() && !a.config.CheckEnableExec { + if chkType.IsScript() && !a.config.CheckEnableExec { return fmt.Errorf("Check types that exec scripts are disabled on this agent") } } diff --git a/agent/consul/structs/check_type.go b/agent/consul/structs/check_type.go index 5ea9f8197894..5fbfb3da3e76 100644 --- a/agent/consul/structs/check_type.go +++ b/agent/consul/structs/check_type.go @@ -47,8 +47,8 @@ func (c *CheckType) Valid() bool { return c.IsTTL() || c.IsMonitor() || c.IsHTTP() || c.IsTCP() || c.IsDocker() } -// IsExec checks if this is a check that execs some kind of script. -func (c *CheckType) IsExec() bool { +// IsScript checks if this is a check that execs some kind of script. +func (c *CheckType) IsScript() bool { return c.Script != "" } From 37658cef096d0a7380840baf9224eab7441953a7 Mon Sep 17 00:00:00 2001 From: James Phillips Date: Mon, 17 Jul 2017 10:02:50 -0700 Subject: [PATCH 3/7] Tweaks unit test to just check for nil. --- agent/agent_test.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/agent/agent_test.go b/agent/agent_test.go index 457b232f4f39..169e244fea38 100644 --- a/agent/agent_test.go +++ b/agent/agent_test.go @@ -822,8 +822,7 @@ func TestAgent_AddCheck_ExecDisable(t *testing.T) { } // Ensure we don't have a check mapping - _, ok := a.state.Checks()["mem"] - if ok { + if memChk := a.state.Checks()["mem"]; memChk != nil { t.Fatalf("should be missing mem check") } } From a743400d490b654dcf417ce3ff29ad71e63bb010 Mon Sep 17 00:00:00 2001 From: James Phillips Date: Mon, 17 Jul 2017 10:23:56 -0700 Subject: [PATCH 4/7] Renames to EnableScriptChecks (and derivatives). --- agent/agent.go | 2 +- agent/agent_test.go | 2 +- agent/config.go | 11 ++++---- agent/config_test.go | 10 +++---- agent/testagent.go | 2 +- command/agent.go | 2 +- testutil/server.go | 6 ++--- website/source/docs/agent/checks.html.md | 6 ++--- website/source/docs/agent/options.html.md | 26 +++++++++---------- website/source/docs/guides/acl.html.md | 4 +-- .../source/intro/getting-started/join.html.md | 10 +++++-- 11 files changed, 44 insertions(+), 37 deletions(-) diff --git a/agent/agent.go b/agent/agent.go index d87314fa5146..4b3dc8f1f0ac 100644 --- a/agent/agent.go +++ b/agent/agent.go @@ -1601,7 +1601,7 @@ func (a *Agent) AddCheck(check *structs.HealthCheck, chkType *structs.CheckType, return fmt.Errorf("Check type is not valid") } - if chkType.IsScript() && !a.config.CheckEnableExec { + if chkType.IsScript() && !a.config.EnableScriptChecks { return fmt.Errorf("Check types that exec scripts are disabled on this agent") } } diff --git a/agent/agent_test.go b/agent/agent_test.go index 169e244fea38..4792acc152f3 100644 --- a/agent/agent_test.go +++ b/agent/agent_test.go @@ -801,7 +801,7 @@ func TestAgent_AddCheck_ExecDisable(t *testing.T) { t.Parallel() cfg := TestConfig() - cfg.CheckEnableExec = false + cfg.EnableScriptChecks = false a := NewTestAgent(t.Name(), cfg) defer a.Shutdown() diff --git a/agent/config.go b/agent/config.go index ef9a9ffea250..33b537abc843 100644 --- a/agent/config.go +++ b/agent/config.go @@ -625,9 +625,10 @@ type Config struct { // true, we ignore the leave, and rejoin the cluster on start. RejoinAfterLeave bool `mapstructure:"rejoin_after_leave"` - // CheckEnableExec controls whether health checks which execute scripts - // are enabled. This includes regular script checks and Docker checks. - CheckEnableExec bool `mapstructure:"check_enable_exec"` + // EnableScriptChecks controls whether health checks which execute + // scripts are enabled. This includes regular script checks and Docker + // checks. + EnableScriptChecks bool `mapstructure:"enable_script_checks"` // CheckUpdateInterval controls the interval on which the output of a health check // is updated if there is no change to the state. For example, a check in a steady @@ -1936,8 +1937,8 @@ func MergeConfig(a, b *Config) *Config { if b.DNSConfig.RecursorTimeout != 0 { result.DNSConfig.RecursorTimeout = b.DNSConfig.RecursorTimeout } - if b.CheckEnableExec { - result.CheckEnableExec = true + if b.EnableScriptChecks { + result.EnableScriptChecks = true } if b.CheckUpdateIntervalRaw != "" || b.CheckUpdateInterval != 0 { result.CheckUpdateInterval = b.CheckUpdateInterval diff --git a/agent/config_test.go b/agent/config_test.go index b83c2c1c0180..368111c1baff 100644 --- a/agent/config_test.go +++ b/agent/config_test.go @@ -217,10 +217,6 @@ func TestDecodeConfig(t *testing.T) { in: `{"ca_path":"a"}`, c: &Config{CAPath: "a"}, }, - { - in: `{"check_enable_exec":true}`, - c: &Config{CheckEnableExec: true}, - }, { in: `{"check_update_interval":"2s"}`, c: &Config{CheckUpdateInterval: 2 * time.Second, CheckUpdateIntervalRaw: "2s"}, @@ -326,6 +322,10 @@ func TestDecodeConfig(t *testing.T) { in: `{"disable_keyring_file":true}`, c: &Config{DisableKeyringFile: true}, }, + { + in: `{"enable_script_checks":true}`, + c: &Config{EnableScriptChecks: true}, + }, { in: `{"encrypt_verify_incoming":true}`, c: &Config{EncryptVerifyIncoming: Bool(true)}, @@ -1367,7 +1367,7 @@ func TestMergeConfig(t *testing.T) { ReconnectTimeoutLan: 24 * time.Hour, ReconnectTimeoutWanRaw: "36h", ReconnectTimeoutWan: 36 * time.Hour, - CheckEnableExec: true, + EnableScriptChecks: true, CheckUpdateInterval: 8 * time.Minute, CheckUpdateIntervalRaw: "8m", ACLToken: "1111", diff --git a/agent/testagent.go b/agent/testagent.go index 91f24ff4f4a5..853619f7fdbc 100644 --- a/agent/testagent.go +++ b/agent/testagent.go @@ -314,7 +314,7 @@ func TestConfig() *Config { cfg.Datacenter = "dc1" cfg.Bootstrap = true cfg.Server = true - cfg.CheckEnableExec = true + cfg.EnableScriptChecks = true ccfg := consul.DefaultConfig() cfg.ConsulConfig = ccfg diff --git a/command/agent.go b/command/agent.go index 222b7e69d001..0df8848b1872 100644 --- a/command/agent.go +++ b/command/agent.go @@ -80,7 +80,7 @@ func (cmd *AgentCommand) readConfig() *agent.Config { "A unique ID for this node across space and time. Defaults to a randomly-generated ID"+ " that persists in the data-dir.") - f.BoolVar(&cmdCfg.CheckEnableExec, "check-enable-exec", false, "Enables health check scripts.") + f.BoolVar(&cmdCfg.EnableScriptChecks, "enable-script-checks", false, "Enables health check scripts.") var disableHostNodeID configutil.BoolValue f.Var(&disableHostNodeID, "disable-host-node-id", "Setting this to true will prevent Consul from using information from the"+ diff --git a/testutil/server.go b/testutil/server.go index aead8def381d..2077da31a8d7 100644 --- a/testutil/server.go +++ b/testutil/server.go @@ -86,7 +86,7 @@ type TestServerConfig struct { VerifyIncomingRPC bool `json:"verify_incoming_rpc,omitempty"` VerifyIncomingHTTPS bool `json:"verify_incoming_https,omitempty"` VerifyOutgoing bool `json:"verify_outgoing,omitempty"` - CheckEnableExec bool `json:"check_enable_exec,omitempty"` + EnableScriptChecks bool `json:"enable_script_checks,omitempty"` ReadyTimeout time.Duration `json:"-"` Stdout, Stderr io.Writer `json:"-"` Args []string `json:"-"` @@ -125,8 +125,8 @@ func defaultServerConfig() *TestServerConfig { Server: randomPort(), RPC: randomPort(), }, - CheckEnableExec: true, - ReadyTimeout: 10 * time.Second, + EnableScriptChecks: true, + ReadyTimeout: 10 * time.Second, } } diff --git a/website/source/docs/agent/checks.html.md b/website/source/docs/agent/checks.html.md index 0f17822f6404..9f092221d9f0 100644 --- a/website/source/docs/agent/checks.html.md +++ b/website/source/docs/agent/checks.html.md @@ -25,7 +25,7 @@ There are five different kinds of checks: By default, Script checks will be configured with a timeout equal to 30 seconds. It is possible to configure a custom Script check timeout value by specifying the `timeout` field in the check definition. In Consul 0.9.0 and later, the agent - must be configured with [`check_enable_exec`](/docs/agent/options.html#_check_enable_exec) + must be configured with [`enable_script_checks`](/docs/agent/options.html#_enable_script_checks) set to `true` in order to enable script checks. * HTTP + Interval - These checks make an HTTP `GET` request every Interval (e.g. @@ -85,7 +85,7 @@ There are five different kinds of checks: has to be performed is configurable which makes it possible to run containers which have different shells on the same host. Check output for Docker is limited to 4K. Any output larger than this will be truncated. In Consul 0.9.0 and later, the agent - must be configured with [`check_enable_exec`](/docs/agent/options.html#_check_enable_exec) + must be configured with [`enable_script_checks`](/docs/agent/options.html#_enable_script_checks) set to `true` in order to enable script checks. ## Check Definition @@ -215,7 +215,7 @@ will be captured and stored in the `notes` field so that it can be viewed by human operators. In Consul 0.9.0 and later, the agent must be configured with -[`check_enable_exec`](/docs/agent/options.html#_check_enable_exec) set to `true` +[`enable_script_checks`](/docs/agent/options.html#_enable_script_checks) set to `true` in order to enable script checks. ## Initial Health Check Status diff --git a/website/source/docs/agent/options.html.md b/website/source/docs/agent/options.html.md index 40596ec86278..a43bd39a4100 100644 --- a/website/source/docs/agent/options.html.md +++ b/website/source/docs/agent/options.html.md @@ -96,12 +96,6 @@ will exit with an error at startup. This is an IP address that should be reachable by all other LAN nodes in the cluster. By default, the value follows the same rules as [`-bind` command-line flag](#_bind), and if this is not specified, the `-bind` option is used. This is available in Consul 0.7.1 and later. -* `check-enable-exec` This - controls whether [health checks that execute scripts](/docs/agent/checks.html) are enabled on - this agent, and defaults to `false` so operators must opt-in to allowing these. If enabled, - it is recommended to [enable ACLs](/docs/guides/acl.html) as well to control which users are - allowed to register new checks to execute scripts. This was added in Consul 0.9.0. - * `-client` - The address to which Consul will bind client interfaces, including the HTTP and DNS servers. By default, this is "127.0.0.1", allowing only loopback connections. @@ -153,6 +147,10 @@ will exit with an error at startup. [Nomad](https://www.nomadproject.io/), so if you opt-in to host-based IDs then Consul and Nomad will use information on the host to automatically assign the same ID in both systems. +* `-disable-keyring-file` - If set, + the keyring will not be persisted to a file. Any installed keys will be lost on shutdown, and only the given + `-encrypt` key will be available on startup. This defaults to false. + * `-dns-port` - the DNS port to listen on. This overrides the default port 8600. This is available in Consul 0.7 and later. @@ -160,6 +158,12 @@ will exit with an error at startup. in the "consul." domain. This flag can be used to change that domain. All queries in this domain are assumed to be handled by Consul and will not be recursively resolved. +* `enable-script-checks` This + controls whether [health checks that execute scripts](/docs/agent/checks.html) are enabled on + this agent, and defaults to `false` so operators must opt-in to allowing these. If enabled, + it is recommended to [enable ACLs](/docs/guides/acl.html) as well to control which users are + allowed to register new checks to execute scripts. This was added in Consul 0.9.0. + * `-encrypt` - Specifies the secret key to use for encryption of Consul network traffic. This key must be 16-bytes that are Base64-encoded. The @@ -173,10 +177,6 @@ will exit with an error at startup. initialized with an encryption key, then the provided key is ignored and a warning will be displayed. -* `-disable-keyring-file` - If set, - the keyring will not be persisted to a file. Any installed keys will be lost on shutdown, and only the given - `-encrypt` key will be available on startup. This defaults to false. - * `-http-port` - the HTTP API port to listen on. This overrides the default port 8500. This option is very useful when deploying Consul to an environment which communicates the HTTP port through the environment e.g. PaaS like CloudFoundry, allowing @@ -612,9 +612,6 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass PEM-encoded certificate. The certificate is provided to clients or servers to verify the agent's authenticity. It must be provided along with [`key_file`](#key_file). -* `check_enable_exec` Equivalent to the - [`-check-enable-exec` command-line flag](#_check_enable_exec). - * `check_update_interval` This interval controls how often check output from checks in a steady state is synchronized with the server. By default, this is @@ -721,6 +718,9 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass * `enable_debug` When set, enables some additional debugging features. Currently, this is only used to set the runtime profiling HTTP endpoints. +* `enable_script_checks` Equivalent to the + [`-enable-script-checks` command-line flag](#_enable_script_checks). + * `enable_syslog` Equivalent to the [`-syslog` command-line flag](#_syslog). diff --git a/website/source/docs/guides/acl.html.md b/website/source/docs/guides/acl.html.md index 1554e1c41505..2ea46a51ebfb 100644 --- a/website/source/docs/guides/acl.html.md +++ b/website/source/docs/guides/acl.html.md @@ -685,7 +685,7 @@ to use for registration events: [HTTP API](/api/index.html) for operations that require them. In addition to ACLs, in Consul 0.9.0 and later, the agent must be configured with -[`check_enable_exec`](/docs/agent/options.html#_check_enable_exec) set to `true` in order to enable +[`enable_script_checks`](/docs/agent/options.html#_enable_script_checks) set to `true` in order to enable script checks. #### Operator Rules @@ -871,7 +871,7 @@ to use for registration events: [HTTP API](/api/index.html) for operations that require them. In addition to ACLs, in Consul 0.9.0 and later, the agent must be configured with -[`check_enable_exec`](/docs/agent/options.html#_check_enable_exec) set to `true` in order to enable +[`enable_script_checks`](/docs/agent/options.html#_enable_script_checks) set to `true` in order to enable script checks. #### Session Rules diff --git a/website/source/intro/getting-started/join.html.md b/website/source/intro/getting-started/join.html.md index 71f40e51b709..59123a429537 100644 --- a/website/source/intro/getting-started/join.html.md +++ b/website/source/intro/getting-started/join.html.md @@ -72,6 +72,12 @@ the replicated log until the expected number of servers has successfully joined. You can read more about this in the [bootstrapping guide](/docs/guides/bootstrapping.html). +We've included the [`-enable_script_checks`](/docs/agent/options.html#_enable_script_checks) +flag set to `true` in order to enable health checks that can execute external scripts. +This will be used in examples later. For production use, you'd want to configure +[ACLs](/docs/guides/acl.html) in conjunction with this to control the ability to +register arbitrary scripts. + Finally, we add the [`config-dir` flag](/docs/agent/options.html#_config_dir), marking where service and check definitions can be found. @@ -81,7 +87,7 @@ All together, these settings yield a ```text vagrant@n1:~$ consul agent -server -bootstrap-expect=1 \ -data-dir=/tmp/consul -node=agent-one -bind=172.20.20.10 \ - -check-enable-exec=true -config-dir=/etc/consul.d + -enable-script-checks=true -config-dir=/etc/consul.d ... ``` @@ -102,7 +108,7 @@ All together, these settings yield a ```text vagrant@n2:~$ consul agent -data-dir=/tmp/consul -node=agent-two \ - -bind=172.20.20.11 -check-enable-exec=true -config-dir=/etc/consul.d + -bind=172.20.20.11 -enable-script-checks=true -config-dir=/etc/consul.d ... ``` From d8d2c664b248e5b29047b6d233caf6bbe312fb88 Mon Sep 17 00:00:00 2001 From: James Phillips Date: Mon, 17 Jul 2017 10:25:03 -0700 Subject: [PATCH 5/7] Changes "4K" to "4KB". --- website/source/docs/agent/checks.html.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/website/source/docs/agent/checks.html.md b/website/source/docs/agent/checks.html.md index 9f092221d9f0..6938e9c0f983 100644 --- a/website/source/docs/agent/checks.html.md +++ b/website/source/docs/agent/checks.html.md @@ -21,7 +21,7 @@ There are five different kinds of checks: that performs the health check, exits with an appropriate exit code, and potentially generates some output. A script is paired with an invocation interval (e.g. every 30 seconds). This is similar to the Nagios plugin system. The output of - a script check is limited to 4K. Output larger than this will be truncated. + a script check is limited to 4KB. Output larger than this will be truncated. By default, Script checks will be configured with a timeout equal to 30 seconds. It is possible to configure a custom Script check timeout value by specifying the `timeout` field in the check definition. In Consul 0.9.0 and later, the agent @@ -40,7 +40,7 @@ There are five different kinds of checks: configured with a request timeout equal to the check interval, with a max of 10 seconds. It is possible to configure a custom HTTP check timeout value by specifying the `timeout` field in the check definition. The output of the - check is limited to roughly 4K. Responses larger than this will be truncated. + check is limited to roughly 4KB. Responses larger than this will be truncated. HTTP checks also support SSL. By default, a valid SSL certificate is expected. Certificate verification can be turned off by setting the `tls_skip_verify` field to `true` in the check definition. @@ -84,7 +84,7 @@ There are five different kinds of checks: The check should be paired with an invocation interval. The shell on which the check has to be performed is configurable which makes it possible to run containers which have different shells on the same host. Check output for Docker is limited to - 4K. Any output larger than this will be truncated. In Consul 0.9.0 and later, the agent + 4KB. Any output larger than this will be truncated. In Consul 0.9.0 and later, the agent must be configured with [`enable_script_checks`](/docs/agent/options.html#_enable_script_checks) set to `true` in order to enable script checks. From 211d18d461c933f8f1e5a0b707a3317b9a7d43cb Mon Sep 17 00:00:00 2001 From: James Phillips Date: Mon, 17 Jul 2017 10:25:52 -0700 Subject: [PATCH 6/7] Clarifies note about Docker health checks. --- website/source/docs/agent/checks.html.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/source/docs/agent/checks.html.md b/website/source/docs/agent/checks.html.md index 6938e9c0f983..7685ce2c43b7 100644 --- a/website/source/docs/agent/checks.html.md +++ b/website/source/docs/agent/checks.html.md @@ -86,7 +86,7 @@ There are five different kinds of checks: have different shells on the same host. Check output for Docker is limited to 4KB. Any output larger than this will be truncated. In Consul 0.9.0 and later, the agent must be configured with [`enable_script_checks`](/docs/agent/options.html#_enable_script_checks) - set to `true` in order to enable script checks. + set to `true` in order to enable Docker health checks. ## Check Definition From d29a27f248d795df5740e617c189cb7580e7bb1e Mon Sep 17 00:00:00 2001 From: James Phillips Date: Mon, 17 Jul 2017 11:14:23 -0700 Subject: [PATCH 7/7] Turns off script checks by default in unit tests. --- agent/agent_test.go | 27 ++++++++++++++++++--------- agent/testagent.go | 1 - api/agent_test.go | 4 +++- testutil/server.go | 3 +-- 4 files changed, 22 insertions(+), 13 deletions(-) diff --git a/agent/agent_test.go b/agent/agent_test.go index 4792acc152f3..c19ab9832333 100644 --- a/agent/agent_test.go +++ b/agent/agent_test.go @@ -628,7 +628,9 @@ func TestAgent_RemoveServiceRemovesAllChecks(t *testing.T) { func TestAgent_AddCheck(t *testing.T) { t.Parallel() - a := NewTestAgent(t.Name(), nil) + cfg := TestConfig() + cfg.EnableScriptChecks = true + a := NewTestAgent(t.Name(), cfg) defer a.Shutdown() health := &structs.HealthCheck{ @@ -665,7 +667,9 @@ func TestAgent_AddCheck(t *testing.T) { func TestAgent_AddCheck_StartPassing(t *testing.T) { t.Parallel() - a := NewTestAgent(t.Name(), nil) + cfg := TestConfig() + cfg.EnableScriptChecks = true + a := NewTestAgent(t.Name(), cfg) defer a.Shutdown() health := &structs.HealthCheck{ @@ -702,7 +706,9 @@ func TestAgent_AddCheck_StartPassing(t *testing.T) { func TestAgent_AddCheck_MinInterval(t *testing.T) { t.Parallel() - a := NewTestAgent(t.Name(), nil) + cfg := TestConfig() + cfg.EnableScriptChecks = true + a := NewTestAgent(t.Name(), cfg) defer a.Shutdown() health := &structs.HealthCheck{ @@ -735,7 +741,9 @@ func TestAgent_AddCheck_MinInterval(t *testing.T) { func TestAgent_AddCheck_MissingService(t *testing.T) { t.Parallel() - a := NewTestAgent(t.Name(), nil) + cfg := TestConfig() + cfg.EnableScriptChecks = true + a := NewTestAgent(t.Name(), cfg) defer a.Shutdown() health := &structs.HealthCheck{ @@ -800,10 +808,7 @@ func TestAgent_AddCheck_RestoreState(t *testing.T) { func TestAgent_AddCheck_ExecDisable(t *testing.T) { t.Parallel() - cfg := TestConfig() - cfg.EnableScriptChecks = false - - a := NewTestAgent(t.Name(), cfg) + a := NewTestAgent(t.Name(), nil) defer a.Shutdown() health := &structs.HealthCheck{ @@ -829,7 +834,9 @@ func TestAgent_AddCheck_ExecDisable(t *testing.T) { func TestAgent_RemoveCheck(t *testing.T) { t.Parallel() - a := NewTestAgent(t.Name(), nil) + cfg := TestConfig() + cfg.EnableScriptChecks = true + a := NewTestAgent(t.Name(), cfg) defer a.Shutdown() // Remove check that doesn't exist @@ -1127,6 +1134,7 @@ func TestAgent_PersistCheck(t *testing.T) { cfg := TestConfig() cfg.Server = false cfg.DataDir = testutil.TempDir(t, "agent") // we manage the data dir + cfg.EnableScriptChecks = true a := NewTestAgent(t.Name(), cfg) defer os.RemoveAll(cfg.DataDir) defer a.Shutdown() @@ -1260,6 +1268,7 @@ func TestAgent_PurgeCheckOnDuplicate(t *testing.T) { cfg := TestConfig() cfg.Server = false cfg.DataDir = testutil.TempDir(t, "agent") // we manage the data dir + cfg.EnableScriptChecks = true a := NewTestAgent(t.Name(), cfg) defer os.RemoveAll(cfg.DataDir) defer a.Shutdown() diff --git a/agent/testagent.go b/agent/testagent.go index 853619f7fdbc..cf5d98c4db77 100644 --- a/agent/testagent.go +++ b/agent/testagent.go @@ -314,7 +314,6 @@ func TestConfig() *Config { cfg.Datacenter = "dc1" cfg.Bootstrap = true cfg.Server = true - cfg.EnableScriptChecks = true ccfg := consul.DefaultConfig() cfg.ConsulConfig = ccfg diff --git a/api/agent_test.go b/api/agent_test.go index 01ba9f88d3f4..d49630d66071 100644 --- a/api/agent_test.go +++ b/api/agent_test.go @@ -529,7 +529,9 @@ func TestAPI_AgentChecks_serviceBound(t *testing.T) { func TestAPI_AgentChecks_Docker(t *testing.T) { t.Parallel() - c, s := makeClient(t) + c, s := makeClientWithConfig(t, nil, func(c *testutil.TestServerConfig) { + c.EnableScriptChecks = true + }) defer s.Stop() agent := c.Agent() diff --git a/testutil/server.go b/testutil/server.go index 2077da31a8d7..969d06a58481 100644 --- a/testutil/server.go +++ b/testutil/server.go @@ -125,8 +125,7 @@ func defaultServerConfig() *TestServerConfig { Server: randomPort(), RPC: randomPort(), }, - EnableScriptChecks: true, - ReadyTimeout: 10 * time.Second, + ReadyTimeout: 10 * time.Second, } }