mattfinlayson / ansible-consul Goto Github PK
View Code? Open in Web Editor NEWAnsible role for consul
License: Apache License 2.0
Ansible role for consul
License: Apache License 2.0
Currently Ansible Galaxy lists two packages for this role: savagegus.consul and savagegus.ansible-consul, both referring to this repo. savagegus.consul is the one many people use (3768 downloads), but it hasn't had any updates since 1.3, and savagegus.ansible-consul has more recent versions (1.8 as of time of writing), but only a dozen or so downloads.
Is this intentional? It looks like accidental republish under a different name.
TASK [savagegus.consul : install deps (RHEL)] **********************************
failed: [consul1] => (item=[u'unzip', u'jq']) => {"changed": false, "failed": true, "item": ["unzip", "jq"], "msg": "No Package matching 'jq' found available, installed or updated", "rc": 0, "results": []}
It's not in yum, maybe consider pip install jq
instead?
This role is working wonderfully under ansible-1.9.1, thanks.
Just a heads up, though. It breaks with ansible-2.0.0 devel:
TASK [savagegus.consul : savagegus.consul : consul config file] *****************
fatal: [i-a001010a]: FAILED! => {"msg": "UndefinedError: 'ansible_fqdn' is undefined", "failed": true, "changed": false}
fatal: [i-a101010b]: FAILED! => {"msg": "UndefinedError: 'ansible_fqdn' is undefined", "failed": true, "changed": false}
fatal: [i-be010114]: FAILED! => {"msg": "UndefinedError: 'ansible_fqdn' is undefined", "failed": true, "changed": false}
The hosts in question were created by the ec2 module, and their hostgroup was created with the add_host module.
With the "-ui-dir /path/to/ui" option the consul ui is available at http://localhost:8500/ui by default; however, ansible-consul has a curious dependency on an Ubuntu specific nginx role to enable the ui. It seems out of place. Can we have a simple ui option?
If consul_verify_server_hostname isn't specified as a string "false" it gets set to the default of true.
I am having problems with geerlingguy.nginx for RHEL. It looks like it was updated a few days ago. I believe has something to do with the configuration validation for NGINX. Am I the only one experiencing this?
Hello.
Do you have plans to add tasks for installing consul template utility?
Thank you for great Ansible role.
I do not want to check for updates, the disable_update_check parameter (https://www.consul.io/docs/agent/options.html#disable_update_check) should be configurable.
After you install dnsmasq, unless you configure the listen-address=
in /etc/dnsmasq.conf
then you will have a big DNS vulnerability on your server (test it with http://openresolver.com/). Please consider adding a step to limit listen-address=127.0.0.1
.
Hi,
tasks/install.yaml doesn't check for the existence of the consul binary and will skip unpacking the archive if the archive is already present.
For example: if /tmp/0.5.2_linux_amd64.zip is present and /opt/consul/bin/consul is not present, the "when: consul_was_downloaded|changed" in "copy and unpack" will not trigger the task.
Deleting consul_home to start anew will leave the archive in place. consul_home will be repopulated with everything except the consul binary.
For access to the consul executable by users and the UI content by the nginx user, the consul directory should be world readable. Currently, /opt/consul
is only accessible by user consul
. Maybe the default has changed in Ansible.
I see that there is a task that appends the executable onto $PATH, but if I run sudu su
and then try and run consul
I get consul: command not found
.
Might be a simple question, but is there a way to make the executable available to sudo without changing the consul user?
Thanks!
On many machines I'd like to have the client there but don't want to run an agent. I just want to query a remote agent.
ansible-galaxy install savagegus.consul
The role tarball doesnt exist.
The role variable exists and is used in the consul.conf.j2 template, but is not documented in the README. The property doesn't have a default value, so I'm not sure about where is the best place to add it.
When I'm trying to create consul cluster on Soft Layer, it works fine 'cause private network binds to eth0.
But, for example, at Diagital Ocean private network binds to eth1 interface.
So, I see something like 10.12.0.9 in address when using consul members
.
Mb change bind_addr
declaration in consul.json.j2 to:
"bind_addr": {% for host in consul_servers %}{% if host in ansible_all_ipv4_addresses %}"{{host}}"{% endif %}{% endfor %},
?
looks like something is wrong with the logic here: https://github.com/jivesoftware/ansible-consul/blob/master/templates/consul.json.j2#L6
consul_servers: ['10.0.0.9', '10.0.1.6', '10.0.0.5']
results in this in the conf:
"start_join": ["10.0.0.9", "10.0.1.6", ],
which results in the error.
The flags -bind
and -client
will be overridden with auto generated content from the init script (consul.conf.j2). So you are not able to provide them via configuration.
The latest version on galaxy is from 2014.
Ansible galaxy have old version of this role (without systemd templates). Please, add new repository tag 1.2 and galaxy role.
Thank you.
Looks like we need:
acl_datacenter
acl_default_policy
acl_down_policy
acl_master_token
acl_token
acl_ttl
addresses {
dns:
http:
rpc:
}
ca_file
verify_incoming
verify_outgoing
cert_file
check_update_interval
disable_anonymous_signature
disable_remote_exec
disable_update_check
dns_config {
allow_stale
max_stale
node_ttl
service_ttl
}
domain
enable_debug
enable_syslog
key_file
leave_on_teminate
log_level
ports {
dns - The DNS server, -1 to disable. Default 8600.
http - The HTTP api, -1 to disable. Default 8500.
rpc - The RPC endpoint. Default 8400.
serf_lan - The Serf LAN port. Default 8301.
serf_wan - The Serf WAN port. Default 8302.
server - Server RPC address
}
protocol
recursor
skip_leave_on_interrupt
statsd_addr
statsite_addr
syslog_facility
Hi,
Can this playbook be used for configuring consul across multiple datacenters? How can we make sure nodes in two datacenter's (DC1 and DC2) form a cluster? Thanks.
Thanks,
Govind
Hi,
Provisioning failed with error:
TASK [savagegus.consul : add CONSUL_RPC_ADDR to .bashrc] ***********************
fatal: [localhost]: FAILED! => {"changed": false, "failed": true, "msg": "unsupported parameter for module: become_user"}
to resolved the failure:
I removed the following lines:
become=yes
become_user={{ consul_user }}
from tasks/install.yml -->name: add CONSUL_RPC_ADDR to .bashrc
and rerun
.bashrc file created
ansible finished successfully
please advise
Riki
Hi,
I noticed that the ansible-galaxy (https://galaxy.ansible.com/detail#/role/1453) is not updated with the latest changes.
Can you please update it?
Thanks
Shay.
First, thanks for all of this. I'm new to Consul and this project helped me a lot.
When I set consul_client_address, I found that Dnsmasq no longer works. The problem is that 127.0.0.1 is hard-coded in dnsmasq.yml.
I fixed it by changing the line to this:
content='server=/{{ consul_domain }}/{{ consul_client_address }}#{{ consul_port_dns }}'
The various client addresses can be individually configured using the config file (https://www.consul.io/docs/agent/options.html) and the addresses object. I'm sure you know this. I don't know if you want to be able to set all the addresses individually in this project.
Thanks again for all of your work. This has been a huge help.
In commit 5bcfe7a, the "reload consul config" handler has a spelling error. "Commmand" should be "command".
Attempting to use Upstart with RHEL/CentOS 6 (after applying PR #160 to allow it) fails:
$ sudo start consul
consul start/running, process 19872
$ sudo status consul
consul stop/waiting
Adding some debugging to the Upstart script
exec &> /tmp/consul-upstart.log
set -x
reveals the cause:
$ cat /tmp/consul-upstart.log
+ sudo setcap CAP_NET_BIND_SERVICE=+eip /opt/consul/bin/consul
sudo: sorry, you must have a tty to run sudo
The fix is to use su
instead of sudo
, as explained here.
The nginx_user gets set improperly on RHEL and bootstrap provisioning fails unless nginx_user is set explicitly for this role in the play.
The problem exists here:
- { role: franklinkim.nginx, when: consul_install_nginx == true and ansible_os_family == "Debian" }
- { role: geerlingguy.nginx, when: consul_install_nginx == true and ansible_os_family == "RedHat" }
- { role: joshualund.golang, when: consul_install_consul_cli == true }
The problem appears to be that franklinkim's nginx sets nginx_user in its default/main.yml:
๐ grep nginx_user defaults/main.yml
nginx_user: www-data
Which remains loaded for the successive role (geerlingguy.nginx). The next nginx role finds this variable set and won't override it with the platform default, even if that was not explicitly set by the user, but the previously attempted role.
Not sure if there is a safer way to "probe" role loading without cluttering the main namespace. I'm eager to learn if there is.
In default/main.yml we have:
consul_ui_dir: "{{ consul_home }}/dist"
At the same time, in tasks/install-ui.yml:
- name: copy and unpack ui
unarchive: >
src={{ consul_download_folder }}/{{ consul_ui_archive }}
dest={{ consul_home }}
copy=no
when: consul_ui_was_downloaded|changed
Which puts UI files a level higher than needed.
Changing to dest={{ consul_ui_dir }} resolves the issue.
The task Download the Go tarball fails when it is not run as root and wants to write to /usr/src, with e.g. vagrant the provisioner is not run as root by default.
A few questions arise from that:
Thanks for your attention!
Our hostnames are kinda long. We follow this standard, with one addition for vendor, so we get hostnames that end up being something like i-WWXXYYZZ.bastion.us-west-2.aws.int.example.com
. Because the hostname is so long, when nginx tries to start up I get an error like:
Restarting nginx: nginx: [emerg] could not build the server_names_hash,
you should increase either server_names_hash_max_size: 256
or server_names_hash_bucket_size: 64.
(More info at Server Fault)
The fix for this is pretty simple, just add something like server_names_hash_max_size: 256
to the http
section of the nginx.conf. I would just add this functionality to ansible-consul, but wanted to consult (hah! puns!) first as it might be a little out of scope for this project
The last line of tasks/main.yml runs tasks/service.yml, starts consul if not started:
- service: >
name=consul
state=running
The next step is handlers/main.yml, which restarts consul:
- name: restart consul
action: service name=consul state=restarted enabled=yes
(Note the older "action: service" line. The newer "server: name=foo" is used a few tasks later.)
[edit, again: There's something I don't understand about leadership election. I get no election on restart.]
They're almost the same, but not quite. My three server "datacenter" (Debian, systemd, with bootstrap_expect: 3) loses leadership on the restart and can't seem to regain it. A debug task shows Leadership is gained; that runs before the handler
I removed the service.yml include and things seem to work as expected. I haven't figured out why the line is there. Maybe there's some difference with Ansible 2?
I am using this playbook for consul server and it works like magic - love that !!.
I am also using this playbook for consul client. It still installs nginx. Is there an option to override that?
The creation of the consul user always fails on hosts with it already existing because it is running the consul process
msg: usermod: user consul is currently used by process xxxx
Maybe we should register 'create consul group' and check if changed for 'create consul user'?
Apparently [1] [2], Ansible doesn't support running multiple handlers with the same name. Since franklinkim.nginx
(for Debian) is loaded before geerlingguy.nginx
(for RedHat), the reload nginx
handler for Debian wins, and the reload is skipped:
RUNNING HANDLER [franklinkim.nginx : reload nginx] *****************************
skipping: [...] => {"changed": false, "skip_reason": "Conditional check failed", "skipped": true}
The result is getting the "Welcome to nginx!" page instead of the Consul UI. Running sudo nginx -s reload
on the servers fixes the issue, as expected.
I'm not sure how to fix this without modifying the nginx modules.
https://github.com/savagegus/ansible-consul/blob/master/templates/consul.json.j2#L58-L60
I believe you'll need to set http to the client address in order for this to work?
If the consul config file changes, it should notify a handler to restart consul.
The SELinux task for consul-ui does not correctly detect when SELinux is enabled:
TASK [savagegus.consul : allow nginx to connect to consul (selinux)] *************
fatal: [...]: FAILED! => {"changed": false, "failed": true, "msg": "SELinux is disabled on this host."}
Perhaps I am missing something, but it seams that an option for setting recursors is missing, is this becuase dnsmasq is preffered?
Can the ansible script check for that version and not download if consul_ui is true?
is there a reason why there is https://github.com/jivesoftware/ansible-consul/blob/master/templates/consul.json.j2#L36 as well as https://github.com/jivesoftware/ansible-consul/blob/master/templates/consul.json.j2#L42?
So I recently upgraded to 0.6.0 and along with that I used a newer version of this role. There was a lot to grok, but everything seemed to work for my Consul server so I moved onto upgrading one of my clients. Things seemed to work on the Consul side after the upgrade until I realized that my docker containers could not resolve hosts using Consul DNS. After some troubleshooting, I could only get them to be able to use the DNS if -p 8600
was specified along with dig
. That's weird... so I started to take a look at what had changed from the older role version I was using. After a LOT of testing, I finally found the culprit:
https://github.com/savagegus/ansible-consul/blob/master/tasks/dnsmasq.yml#L31-L44
Why was this added? @trumant
Doesn't this mean that anything outside of the local host (such as Docker containers) cannot go through dnsmasq for DNS lookups?
in the sample playbook
consul_is_ui: "true" should be consul_is_ui: true
or the conditionals throughout should change to compare against "true". it seems mixed between conditionals checking for matching strings or booleans
Thanks for making this btw, great stuff!
Upstart is not only available in Debian, it should also work with ansible_os_family = 'RedHat'.
I can remove that check in the playbook. Sounds ok?
Does this playbook sets up the consul cluster?
have to restart dnsmasq and pause immediately after configuring. Otherwise the next step (installing tornado) will fail because pypi.python.org doesn't resolve.
diff --git a/roles/ansible-consul/tasks/dnsmasq.yml b/roles/ansible-consul/tasks/dnsmasq.yml
index 4686aa1..c960105 100644
--- a/roles/ansible-consul/tasks/dnsmasq.yml
+++ b/roles/ansible-consul/tasks/dnsmasq.yml
@@ -12,5 +12,11 @@
copy: >
content='server=/{{ consul_domain }}/127.0.0.1#8600'
dest=/etc/dnsmasq.d/10-consul
- notify:
- - restart dnsmasq
+ register: dnsmasq_configured
+
+- service: name=dnsmasq state=restarted
+ when: dnsmasq_configured|changed
+
+- pause: seconds=1
+ when dnsmasq_configured|changed
+
Hi,
I tried to run consul provision using ansible 2 , the provision failed in several steps
Do you plan to support ansible 2 ?
Thanks
Riki
Getting two errors:
"unsupported parameter for module: become_user"
"unsupported parameter for module: become"
For the add CONSUL_RPC_ADDR to .bashrc
task in install.yml. Removing them fixed the issue. Should I open a PR?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.