» Consul Cluster
We've started our first agent and registered and queried a service on that agent. Additionally, we've configured Consul Connect to automatically authorize and encrypt connections between services. This showed how easy it is to use Consul but didn't show how this could be extended to a scalable, production-grade service mesh infrastructure. In this step, we'll create our first real cluster with multiple members.
When a Consul agent is started, it begins without knowledge of any other node: it is an isolated cluster of one. To learn about other cluster members, the agent must join an existing cluster. To join an existing cluster, it only needs to know about a single existing member. After it joins, the agent will gossip with this member and quickly discover the other members in the cluster. A Consul agent can join any other agent, not just agents in server mode.
» Starting the Agents
To simulate a more realistic cluster, we will start a two node cluster via Vagrant. The Vagrantfile we will be using can be found in the demo section of the Consul repo.
We first boot our two nodes:
$ vagrant up
Once the systems are available, we can ssh into them to begin configuration of our cluster. We start by logging in to the first node:
$ vagrant ssh n1
In our previous examples, we used the -dev
flag to quickly set up a development server.
However, this is not sufficient for use in a clustered environment. We will
omit the -dev
flag from here on, and instead specify our clustering flags as
outlined below.
Each node in a cluster must have a unique name. By default, Consul uses the
hostname of the machine, but we'll manually override it using the -node
command-line option.
We will also specify a bind
address:
this is the address that Consul listens on, and it must be accessible by
all other nodes in the cluster. While a bind
address is not strictly
necessary, it's always best to provide one. Consul will by default attempt to
listen on all IPv4 interfaces on a system, but will fail to start with an
error if multiple private IPs are found. Since production servers often
have multiple interfaces, specifying a bind
address assures that you will
never bind Consul to the wrong interface.
The first node will act as our sole server in this cluster, and we indicate
this with the server
switch.
The -bootstrap-expect
flag
hints to the Consul server the number of additional server nodes we are
expecting to join. The purpose of this flag is to delay the bootstrapping of
the replicated log until the expected number of servers has successfully joined.
You can read more about this in the bootstrapping
guide.
We've included the -enable-script-checks
flag set to true
in order to enable health checks that can execute external scripts.
This will be used in examples later. For production use, you'd want to configure
ACLs in conjunction with this to control the ability to
register arbitrary scripts.
Finally, we add the config-dir
flag,
marking where service and check definitions can be found.
All together, these settings yield a
consul agent
command like this:
vagrant@n1:~$ consul agent -server -bootstrap-expect=1 \
-data-dir=/tmp/consul -node=agent-one -bind=172.20.20.10 \
-enable-script-checks=true -config-dir=/etc/consul.d
...
Now, in another terminal, we will connect to the second node:
$ vagrant ssh n2
This time, we set the bind
address
address to match the IP of the second node as specified in the Vagrantfile
and the node
name to be agent-two
.
Since this node will not be a Consul server, we don't provide a
server
switch.
All together, these settings yield a
consul agent
command like this:
vagrant@n2:~$ consul agent -data-dir=/tmp/consul -node=agent-two \
-bind=172.20.20.11 -enable-script-checks=true -config-dir=/etc/consul.d
...
At this point, you have two Consul agents running: one server and one client.
The two Consul agents still don't know anything about each other and are each
part of their own single-node clusters. You can verify this by running
consul members
against each agent and noting
that only one member is visible to each agent.
» Joining a Cluster
Now, we'll tell the first agent to join the second agent by running the following commands in a new terminal:
$ vagrant ssh n1
...
vagrant@n1:~$ consul join 172.20.20.11
Successfully joined cluster by contacting 1 nodes.
You should see some log output in each of the agent logs. If you read
carefully, you'll see that they received join information. If you
run consul members
against each agent,
you'll see that both agents now know about each other:
vagrant@n2:~$ consul members
Node Address Status Type Build Protocol
agent-two 172.20.20.11:8301 alive client 0.5.0 2
agent-one 172.20.20.10:8301 alive server 0.5.0 2
Remember: To join a cluster, a Consul agent only needs to learn about one existing member. After joining the cluster, the agents gossip with each other to propagate full membership information.
» Auto-joining a Cluster on Start
Ideally, whenever a new node is brought up in your datacenter, it should automatically join the Consul cluster without human intervention. Consul facilitates auto-join by enabling the auto-discovery of instances in AWS, Google Cloud or Azure with a given tag key/value. To use the integration, add the retry_join_ec2
, retry_join_gce
or the retry_join_azure
nested object to your Consul configuration file. This will allow a new node to join the cluster without any hardcoded configuration. Alternatively, you can join a cluster at startup using the -join
flag or start_join
setting with hardcoded addresses of other known Consul agents.
» Querying Nodes
Just like querying services, Consul has an API for querying the nodes themselves. You can do this via the DNS or HTTP API.
For the DNS API, the structure of the names is NAME.node.consul
or
NAME.node.DATACENTER.consul
. If the datacenter is omitted, Consul
will only search the local datacenter.
For example, from "agent-one", we can query for the address of the node "agent-two":
vagrant@n1:~$ dig @127.0.0.1 -p 8600 agent-two.node.consul
...
;; QUESTION SECTION:
;agent-two.node.consul. IN A
;; ANSWER SECTION:
agent-two.node.consul. 0 IN A 172.20.20.11
The ability to look up nodes in addition to services is incredibly useful for system administration tasks. For example, knowing the address of the node to SSH into is as easy as making the node a part of the Consul cluster and querying it.
» Leaving a Cluster
To leave the cluster, you can either gracefully quit an agent (using
Ctrl-C
) or force kill one of the agents. Gracefully leaving allows
the node to transition into the left state; otherwise, other nodes
will detect it as having failed. The difference is covered
in more detail here.
» Next Steps
We now have a multi-node Consul cluster up and running. Let's make our services more robust by giving them health checks!