Consul部署
集群部署
节点IP | 节点名称 |
|---|---|
192.168.1.181 | consul-01 |
192.168.1.182 | consul-02 |
192.168.1.183 | consul-03 |
节点一配置
# 创建目录
mkdir -p /data/consul/{data,conf,bin,logs}
# 下载consul压缩包,解压到/data/consul/bin/目录下
# 创建配置文件
vim /data/consul/conf/consul-01.json
{
"datacenter": "dc1",
"primary_datacenter": "dc1",
"bootstrap_expect": 3,
"start_join":[
"192.168.1.181",
"192.168.1.182",
"192.168.1.183"
],
"retry_join":[
"192.168.1.181",
"192.168.1.182",
"192.168.1.183"
],
"advertise_addr": "192.168.1.181",
"bind_addr": "192.168.1.181",
"client_addr": "0.0.0.0"
"server": true,
"ui": true,
"connect":{
"enabled": true
},
"node_name": "consul-01",
"data_dir": "/data/consul/data/",
"enable_script_checks": false,
"enable_local_script_checks": false,
"log_file": "/data/consul/logs/",
"log_level": "info",
"log_rotate_bytes": 100000000,
"log_rotate_duration": "24h",
"encrypt": "Nliwp+3S19aCAY8Sq7G5NJUqVkBwqNyG13v1BExCMd4=", # consul keygen 生成
"acl": {
"enabled": true,
"default_policy": "deny", # 默认allow,如果需要自定义权限,将其设置为deny
"enable_token_persistence": true, # 开启token持久化,持久化到磁盘上
"enable_key_list_policy":true # 允许KV的递归操作
}
}# 创建启动脚本
vim /usr/lib/systemd/system/consul.service
[Unit]
Description="HashiCorp Consul - A service mesh solution"
Documentation=https://www.consul.io/
Requires=network-online.target
After=network-online.target
[Service]
Type=notify
User=root
ExecStart=/data/consul/bin/consul agent -config-dir=/data/consul/conf/
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGTERM
Restart=on-failure
LimitNOFILE=10240
LimitNPROC=10240
[Install]
WantedBy=multi-user.target# 启动服务
systemctl daemon-reload
systemctl enable consul
systemctl start consul节点二配置
# 创建目录
mkdir -p /data/consul/{data,conf,bin,logs}
# 下载consul压缩包,解压到/data/consul/bin/目录下
# 创建配置文件
vim /data/consul/conf/consul-02.json
{
"datacenter": "dc1",
"primary_datacenter": "dc1",
"bootstrap_expect": 3,
"start_join":[
"192.168.1.181",
"192.168.1.182",
"192.168.1.183"
],
"retry_join":[
"192.168.1.181",
"192.168.1.182",
"192.168.1.183"
],
"advertise_addr": "192.168.1.182",
"bind_addr": "192.168.1.182",
"client_addr": "0.0.0.0",
"server": true,
"ui": true,
"connect":{
"enabled": true
},
"node_name": "consul-02",
"data_dir": "/data/consul/data/",
"enable_script_checks": false,
"enable_local_script_checks": false,
"log_file": "/data/consul/logs/",
"log_level": "info",
"log_rotate_bytes": 100000000,
"log_rotate_duration": "24h",
"encrypt": "Nliwp+3S19aCAY8Sq7G5NJUqVkBwqNyG13v1BExCMd4=",
"acl": {
"enabled": true,
"default_policy": "deny",
"enable_token_persistence": true,
"enable_key_list_policy":true
}
}# 创建启动脚本
vim /usr/lib/systemd/system/consul.service
[Unit]
Description="HashiCorp Consul - A service mesh solution"
Documentation=https://www.consul.io/
Requires=network-online.target
After=network-online.target
[Service]
Type=notify
User=root
ExecStart=/data/consul/bin/consul agent -config-dir=/data/consul/conf/
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGTERM
Restart=on-failure
LimitNOFILE=10240
LimitNPROC=10240
[Install]
WantedBy=multi-user.target# 启动服务
systemctl daemon-reload
systemctl enable consul
systemctl start consul节点三配置
# 创建目录
mkdir -p /data/consul/{data,conf,bin,logs}
# 下载consul压缩包,解压到/data/consul/bin/目录下
# 创建配置文件
vim /data/consul/conf/consul-03.json
{
"datacenter": "dc1",
"primary_datacenter": "dc1",
"bootstrap_expect": 3,
"start_join":[
"192.168.1.181",
"192.168.1.182",
"192.168.1.183"
],
"retry_join":[
"192.168.1.181",
"192.168.1.182",
"192.168.1.183"
],
"advertise_addr": "192.168.1.183",
"bind_addr": "192.168.1.183",
"client_addr": "0.0.0.0",
"server": true,
"ui": true,
"connect":{
"enabled": true
},
"node_name": "consul-03",
"data_dir": "/data/consul/data/",
"enable_script_checks": false,
"enable_local_script_checks": false,
"log_file": "/data/consul/logs/",
"log_level": "info",
"log_rotate_bytes": 100000000,
"log_rotate_duration": "24h",
"encrypt": "Nliwp+3S19aCAY8Sq7G5NJUqVkBwqNyG13v1BExCMd4=",
"acl": {
"enabled": true,
"default_policy": "deny",
"enable_token_persistence": true,
"enable_key_list_policy":true
}
}# 创建启动脚本
vim /usr/lib/systemd/system/consul.service
[Unit]
Description="HashiCorp Consul - A service mesh solution"
Documentation=https://www.consul.io/
Requires=network-online.target
After=network-online.target
[Service]
Type=notify
User=root
ExecStart=/data/consul/bin/consul agent -config-dir=/data/consul/conf/
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGTERM
Restart=on-failure
LimitNOFILE=10240
LimitNPROC=10240
[Install]
WantedBy=multi-user.target# 启动服务
systemctl daemon-reload
systemctl enable consul
systemctl start consul启用 ACL 访问控制
# 重新启动consul,在任意一节点上初始化consul acl
[root@i-lra7lmuy ~]# consul acl bootstrap
AccessorID: 9bf939ae-cb49-655a-0cc5-adbf6d29b239
SecretID: 98633362-4795-75e0-2c4b-849a7195e3c9
Description: Bootstrap Token (Global Management)
Local: false
Create Time: 2022-04-03 12:34:28.883028023 +0800 CST
Policies:
00000000-0000-0000-0000-000000000001 - global-management
该命令只能执行一次,生成的SecretID拥有最高权限
# 修改三个节点的配置文件,启用ACL
...
"acl": {
"enabled": true,
"default_policy": "deny",
"enable_token_persistence": true,
"enable_key_list_policy":true,
"tokens": {
"master": "98633362-4795-75e0-2c4b-849a7195e3c9",
"agent": "98633362-4795-75e0-2c4b-849a7195e3c9"
}
}配置规则
浏览器访问http://ip:8500,输入上面生成的SecretID
默认Policy:global-management,这个是拥有最高权限的SecretID,等于超级管理员
AccessorID:访问ID。唯一,对应有一个token Scope:作用范围 Roles & Policies:拥有权限或者策略,AccessorID通过关联不同角色和策略来控制访问权限
# 服务策略
service_prefix "" {
policy = "write" # 表示所有服务可写
}
# node策略
node_prefix "" {
policy = "write"
}
# kv 策略
kv_prefix "" {
policy = "list" # 所有kv可执行递归list操作
}
kv_prefix "" {
policy = "write" # 所有kv可执行写操作
}
kv_prefix "config/" {
policy = "read" # 以config/开头的key可执行读操作
}单机部署
# 下载
https://releases.hashicorp.com/consul/1.11.4/consul_1.11.4_linux_amd64.zip
# 解压
mkdir -p /data/consul/{conf,data,logs,bin}
unzip consul_1.11.4_linux_amd64.zip -d /data/consul/bin/
# 自动补全
consul -autocomplete-install
complete -C /usr/local/bin/consul consul
# 编辑配置文件
vim /data/consul/conf/consul.json
{
"bind_addr": "192.168.1.100",
"bootstrap_expect": 1,
"client_addr": "192.168.1.100",
"data_dir": "/data/consul/data/",
"datacenter": "dec1",
"disable_update_check": false,
"enable_syslog": true,
"log_level": "INFO",
"server": true,
"syslog_facility": "local0",
"ui": true,
"performance": {
"raft_multiplier": 1
}
}
# 创建启动脚本
vim /usr/lib/systemd/system/consul.service
[Unit]
Description="HashiCorp Consul - A service mesh solution"
Documentation=https://www.consul.io/
Requires=network-online.target
After=network-online.target
[Service]
Type=notify
User=root
ExecStart=/data/consul/bin/consul agent -config-dir=/data/consul/conf/
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGTERM
Restart=on-failure
LimitNOFILE=10240
LimitNPROC=10240
[Install]
WantedBy=multi-user.target
# 启动
systemctl daemon-reload
systemctl start consulconsul备份与还原
# 备份
consul snapshot save --http-addr=http://127.0.0.1:8500 -token=98633362-4795-75e0-2c4b-849a7195e3c9 consul.snap
# 查看备份consul状态文件
consul snapshot inspect consul.snap
# 还原consul服务器状态
consul snapshot restore --http-addr=http://127.0.0.1:8500 -token=98633362-4795-75e0-2c4b-849a7195e3c9 consul.snapKV的导出与导入
# 导出所有kv键值对,最一个参数是导出键值对的前缀,为空时说明要导出所有
consul kv export --http-addr=http://127.0.0.1:8500 -token=98633362-4795-75e0-2c4b-849a7195e3c9 '' > kv.json
# 导入,最后一个@consul_kv.sjon也可以指定绝对路径@/data/consul/consul_kv.json
consul kv import --http-addr=http://127.0.0.1:8500 -token=98633362-4795-75e0-2c4b-849a7195e3c9 @kv.json本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
腾讯云开发者
