From 6b7ca99a691206647560b366c1a801bfb572cd30 Mon Sep 17 00:00:00 2001 From: Matt Keeler Date: Tue, 1 Jun 2021 16:49:58 -0400 Subject: [PATCH 1/5] Add licensing telemetry docs. --- website/content/docs/agent/telemetry.mdx | 98 ++++++++++++++---------- 1 file changed, 58 insertions(+), 40 deletions(-) diff --git a/website/content/docs/agent/telemetry.mdx b/website/content/docs/agent/telemetry.mdx index 90c3b9d2c8f3..f94dca0edef6 100644 --- a/website/content/docs/agent/telemetry.mdx +++ b/website/content/docs/agent/telemetry.mdx @@ -249,6 +249,23 @@ Note that if servers don't restart often, then the snapshot could have grown significantly since the last restore happened so last restore times might not reflect what would happen if an agent restarts now. +### License Expiration + +| Metric Name | Description | Unit | Type | +| :-------------------------------- | :--------------------------------------------------------------- | :---- | :---- | +| `consul.system.licenseExpiration` | Number of hours until the Consul Enterprise license will expire. | hours | gauge | + +**Why they're important:** + +This measurement indicates how many hours are left before the Consul Enterprise license expires. When the license expires some +Consul Enterprise features will cease to work. An example of this is that after expiration, it is no longer possible to create +or modify resources in non-default namespaces or to manage namespace definitions themselves even though reads of namespaced +resources will still work. + +**What to look for:** + +This metric should be monitored to ensure that the license doesn't expire to prevent degradation of functionality. + ## Metrics Reference @@ -256,51 +273,52 @@ This is a full list of metrics emitted by Consul. | Metric | Description | Unit | Type | | -------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- | ------- | -| `consul.acl.blocked.{check,service}.deregistration` | Increments whenever a deregistration fails for an entity (check or service) is blocked by an ACL. | requests | counter | -| `consul.acl.blocked.{check,node,service}.registration` | Increments whenever a registration fails for an entity (check, node or service) is blocked by an ACL. | requests | counter | +| `consul.acl.blocked.{check,service}.deregistration` | Increments whenever a deregistration fails for an entity (check or service) is blocked by an ACL. | requests | counter | +| `consul.acl.blocked.{check,node,service}.registration` | Increments whenever a registration fails for an entity (check, node or service) is blocked by an ACL. | requests | counter | | `consul.api.http` | Migrated from consul.http.. this samples how long it takes to service the given HTTP request for the given verb and path. Includes labels for `path` and `method`. `path` does not include details like service or key names, for these an underscore will be present as a placeholder (eg. path=`v1.kv._`) | ms | timer | -| `consul.client.rpc` | Increments whenever a Consul agent in client mode makes an RPC request to a Consul server. This gives a measure of how much a given agent is loading the Consul servers. Currently, this is only generated by agents in client mode, not Consul servers. | requests | counter | -| `consul.client.rpc.exceeded` | Increments whenever a Consul agent in client mode makes an RPC request to a Consul server gets rate limited by that agent's [`limits`](/docs/agent/options#limits) configuration. This gives an indication that there's an abusive application making too many requests on the agent, or that the rate limit needs to be increased. Currently, this only applies to agents in client mode, not Consul servers. | rejected requests | counter | -| `consul.client.rpc.failed` | Increments whenever a Consul agent in client mode makes an RPC request to a Consul server and fails. | requests | counter | -| `consul.client.api.catalog_register.` | Increments whenever a Consul agent receives a catalog register request. | requests | counter | -| `consul.client.api.success.catalog_register.` | Increments whenever a Consul agent successfully responds to a catalog register request. | requests | counter | -| `consul.client.rpc.error.catalog_register.` | Increments whenever a Consul agent receives an RPC error for a catalog register request. | errors | counter | -| `consul.client.api.catalog_deregister.` | Increments whenever a Consul agent receives a catalog deregister request. | requests | counter | -| `consul.client.api.success.catalog_deregister.` | Increments whenever a Consul agent successfully responds to a catalog deregister request. | requests | counter | -| `consul.client.rpc.error.catalog_deregister.` | Increments whenever a Consul agent receives an RPC error for a catalog deregister request. | errors | counter | -| `consul.client.api.catalog_datacenters.` | Increments whenever a Consul agent receives a request to list datacenters in the catalog. | requests | counter | -| `consul.client.api.success.catalog_datacenters.` | Increments whenever a Consul agent successfully responds to a request to list datacenters. | requests | counter | -| `consul.client.rpc.error.catalog_datacenters.` | Increments whenever a Consul agent receives an RPC error for a request to list datacenters. | errors | counter | -| `consul.client.api.catalog_nodes.` | Increments whenever a Consul agent receives a request to list nodes from the catalog. | requests | counter | -| `consul.client.api.success.catalog_nodes.` | Increments whenever a Consul agent successfully responds to a request to list nodes. | requests | counter | -| `consul.client.rpc.error.catalog_nodes.` | Increments whenever a Consul agent receives an RPC error for a request to list nodes. | errors | counter | -| `consul.client.api.catalog_services.` | Increments whenever a Consul agent receives a request to list services from the catalog. | requests | counter | -| `consul.client.api.success.catalog_services.` | Increments whenever a Consul agent successfully responds to a request to list services. | requests | counter | -| `consul.client.rpc.error.catalog_services.` | Increments whenever a Consul agent receives an RPC error for a request to list services. | errors | counter | -| `consul.client.api.catalog_service_nodes.` | Increments whenever a Consul agent receives a request to list nodes offering a service. | requests | counter | -| `consul.client.api.success.catalog_service_nodes.` | Increments whenever a Consul agent successfully responds to a request to list nodes offering a service. | requests | counter | +| `consul.client.rpc` | Increments whenever a Consul agent in client mode makes an RPC request to a Consul server. This gives a measure of how much a given agent is loading the Consul servers. Currently, this is only generated by agents in client mode, not Consul servers. | requests | counter | +| `consul.client.rpc.exceeded` | Increments whenever a Consul agent in client mode makes an RPC request to a Consul server gets rate limited by that agent's [`limits`](/docs/agent/options#limits) configuration. This gives an indication that there's an abusive application making too many requests on the agent, or that the rate limit needs to be increased. Currently, this only applies to agents in client mode, not Consul servers. | rejected requests | counter | +| `consul.client.rpc.failed` | Increments whenever a Consul agent in client mode makes an RPC request to a Consul server and fails. | requests | counter | +| `consul.client.api.catalog_register.` | Increments whenever a Consul agent receives a catalog register request. | requests | counter | +| `consul.client.api.success.catalog_register.` | Increments whenever a Consul agent successfully responds to a catalog register request. | requests | counter | +| `consul.client.rpc.error.catalog_register.` | Increments whenever a Consul agent receives an RPC error for a catalog register request. | errors | counter | +| `consul.client.api.catalog_deregister.` | Increments whenever a Consul agent receives a catalog deregister request. | requests | counter | +| `consul.client.api.success.catalog_deregister.` | Increments whenever a Consul agent successfully responds to a catalog deregister request. | requests | counter | +| `consul.client.rpc.error.catalog_deregister.` | Increments whenever a Consul agent receives an RPC error for a catalog deregister request. | errors | counter | +| `consul.client.api.catalog_datacenters.` | Increments whenever a Consul agent receives a request to list datacenters in the catalog. | requests | counter | +| `consul.client.api.success.catalog_datacenters.` | Increments whenever a Consul agent successfully responds to a request to list datacenters. | requests | counter | +| `consul.client.rpc.error.catalog_datacenters.` | Increments whenever a Consul agent receives an RPC error for a request to list datacenters. | errors | counter | +| `consul.client.api.catalog_nodes.` | Increments whenever a Consul agent receives a request to list nodes from the catalog. | requests | counter | +| `consul.client.api.success.catalog_nodes.` | Increments whenever a Consul agent successfully responds to a request to list nodes. | requests | counter | +| `consul.client.rpc.error.catalog_nodes.` | Increments whenever a Consul agent receives an RPC error for a request to list nodes. | errors | counter | +| `consul.client.api.catalog_services.` | Increments whenever a Consul agent receives a request to list services from the catalog. | requests | counter | +| `consul.client.api.success.catalog_services.` | Increments whenever a Consul agent successfully responds to a request to list services. | requests | counter | +| `consul.client.rpc.error.catalog_services.` | Increments whenever a Consul agent receives an RPC error for a request to list services. | errors | counter | +| `consul.client.api.catalog_service_nodes.` | Increments whenever a Consul agent receives a request to list nodes offering a service. | requests | counter | +| `consul.client.api.success.catalog_service_nodes.` | Increments whenever a Consul agent successfully responds to a request to list nodes offering a service. | requests | counter | | `consul.client.api.error.catalog_service_nodes.` | Increments whenever a Consul agent receives an RPC error for request to list nodes offering a service. | requests | counter | -| `consul.client.rpc.error.catalog_service_nodes.` | Increments whenever a Consul agent receives an RPC error for a request to list nodes offering a service. | errors | counter | -| `consul.client.api.catalog_node_services.` | Increments whenever a Consul agent receives a request to list services registered in a node. | requests | counter | -| `consul.client.api.success.catalog_node_services.` | Increments whenever a Consul agent successfully responds to a request to list services in a node. | requests | counter | -| `consul.client.rpc.error.catalog_node_services.` | Increments whenever a Consul agent receives an RPC error for a request to list services in a node. | errors | counter | +| `consul.client.rpc.error.catalog_service_nodes.` | Increments whenever a Consul agent receives an RPC error for a request to list nodes offering a service.   | errors | counter | +| `consul.client.api.catalog_node_services.` | Increments whenever a Consul agent receives a request to list services registered in a node.   | requests | counter | +| `consul.client.api.success.catalog_node_services.` | Increments whenever a Consul agent successfully responds to a request to list services in a node.   | requests | counter | +| `consul.client.rpc.error.catalog_node_services.` | Increments whenever a Consul agent receives an RPC error for a request to list services in a node.   | errors | counter | | `consul.client.api.catalog_node_service_list` | Increments whenever a Consul agent receives a request to list a node's registered services. | requests | counter | | `consul.client.rpc.error.catalog_node_service_list` | Increments whenever a Consul agent receives an RPC error for request to list a node's registered services. | errors | counter | | `consul.client.api.success.catalog_node_service_list` | Increments whenever a Consul agent successfully responds to a request to list a node's registered services. | requests | counter | -| `consul.client.api.catalog_gateway_services.` | Increments whenever a Consul agent receives a request to list services associated with a gateway. | requests | counter | -| `consul.client.api.success.catalog_gateway_services.` | Increments whenever a Consul agent successfully responds to a request to list services associated with a gateway. | requests | counter | -| `consul.client.rpc.error.catalog_gateway_services.` | Increments whenever a Consul agent receives an RPC error for a request to list services associated with a gateway. | errors | counter | -| `consul.runtime.num_goroutines` | Tracks the number of running goroutines and is a general load pressure indicator. This may burst from time to time but should return to a steady state value. | number of goroutines | gauge | -| `consul.runtime.alloc_bytes` | Measures the number of bytes allocated by the Consul process. This may burst from time to time but should return to a steady state value. | bytes | gauge | -| `consul.runtime.heap_objects` | Measures the number of objects allocated on the heap and is a general memory pressure indicator. This may burst from time to time but should return to a steady state value. | number of objects | gauge | -| `consul.state.nodes` | Measures the current number of nodes registered with Consul. It is only emitted by Consul servers. Added in v1.9.0. | number of objects | gauge | -| `consul.state.services` | Measures the current number of unique services registered with Consul, based on service name. It is only emitted by Consul servers. Added in v1.9.0. | number of objects | gauge | -| `consul.state.service_instances` | Measures the current number of unique service instances registered with Consul. It is only emitted by Consul servers. Added in v1.9.0. | number of objects | gauge | -| `consul.dns.stale_queries` | Increments when an agent serves a query within the allowed stale threshold. | queries | counter | -| `consul.dns.ptr_query.` | Measures the time spent handling a reverse DNS query for the given node. | ms | timer | -| `consul.dns.domain_query.` | Measures the time spent handling a domain query for the given node. | ms | timer | -| `consul.http...` | DEPRECATED IN 1.9: Tracks how long it takes to service the given HTTP request for the given verb and path. Paths do not include details like service or key names, for these an underscore will be present as a placeholder (eg. `consul.http.GET.v1.kv._`) | ms | timer | -| `consul.version` | Measures the count of running agents. | agents | guage | +| `consul.client.api.catalog_gateway_services.` | Increments whenever a Consul agent receives a request to list services associated with a gateway. | requests | counter | +| `consul.client.api.success.catalog_gateway_services.` | Increments whenever a Consul agent successfully responds to a request to list services associated with a gateway. | requests | counter | +| `consul.client.rpc.error.catalog_gateway_services.` | Increments whenever a Consul agent receives an RPC error for a request to list services associated with a gateway. | errors | counter | +| `consul.runtime.num_goroutines` | Tracks the number of running goroutines and is a general load pressure indicator. This may burst from time to time but should return to a steady state value. | number of goroutines | gauge | +| `consul.runtime.alloc_bytes` | Measures the number of bytes allocated by the Consul process. This may burst from time to time but should return to a steady state value. | bytes | gauge | +| `consul.runtime.heap_objects` | Measures the number of objects allocated on the heap and is a general memory pressure indicator. This may burst from time to time but should return to a steady state value. | number of objects | gauge | +| `consul.state.nodes` | Measures the current number of nodes registered with Consul. It is only emitted by Consul servers. Added in v1.9.0. | number of objects | gauge | +| `consul.state.services` | Measures the current number of unique services registered with Consul, based on service name. It is only emitted by Consul servers. Added in v1.9.0. | number of objects | gauge | +| `consul.state.service_instances` | Measures the current number of unique service instances registered with Consul. It is only emitted by Consul servers. Added in v1.9.0. | number of objects | gauge | +| `consul.dns.stale_queries` | Increments when an agent serves a query within the allowed stale threshold. | queries | counter | +| `consul.dns.ptr_query.` | Measures the time spent handling a reverse DNS query for the given node. | ms | timer | +| `consul.dns.domain_query.` | Measures the time spent handling a domain query for the given node. | ms | timer | +| `consul.http...` | DEPRECATED IN 1.9: Tracks how long it takes to service the given HTTP request for the given verb and path. Paths do not include details like service or key names, for these an underscore will be present as a placeholder (eg. `consul.http.GET.v1.kv._`) | ms | timer | +| `consul.system.licenseExpiration` | This measures the number of hours remaining on the agents license. | hours | gauge | +| `consul.version` | Measures the count of running agents. | agents | guage | ## Server Health From f3595f53946612db452e626fb4fdb0c70386b3c0 Mon Sep 17 00:00:00 2001 From: Matt Keeler Date: Wed, 2 Jun 2021 14:34:46 -0400 Subject: [PATCH 2/5] Update licensing docs for 1.10 licensing --- website/content/docs/agent/options.mdx | 2 + website/content/docs/enterprise/index.mdx | 64 +++++++++++++++++------ 2 files changed, 49 insertions(+), 17 deletions(-) diff --git a/website/content/docs/agent/options.mdx b/website/content/docs/agent/options.mdx index 1eff8a70b49b..f3dddd7e2c0a 100644 --- a/website/content/docs/agent/options.mdx +++ b/website/content/docs/agent/options.mdx @@ -1636,6 +1636,8 @@ bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr - `leave_on_terminate` If enabled, when the agent receives a TERM signal, it will send a `Leave` message to the rest of the cluster and gracefully leave. The default behavior for this feature varies based on whether or not the agent is running as a client or a server (prior to Consul 0.7 the default value was unconditionally set to `false`). On agents in client-mode, this defaults to `true` and for agents in server-mode, this defaults to `false`. +- `license_path` This specifies the path to a file that contains the Consul Enterprise license. See the [licensing documentation](/docs/enterprise#licensing) for more information about Consul Enterprise license management. + - `limits` Available in Consul 0.9.3 and later, this is a nested object that configures limits that are enforced by the agent. Prior to Consul 1.5.2, this only applied to agents in client mode, not Consul servers. The following parameters diff --git a/website/content/docs/enterprise/index.mdx b/website/content/docs/enterprise/index.mdx index 7469717e635f..0903b522cc25 100644 --- a/website/content/docs/enterprise/index.mdx +++ b/website/content/docs/enterprise/index.mdx @@ -28,13 +28,18 @@ Enterprise](https://www.hashicorp.com/consul). ## Licensing -Licensing capabilities were added to Consul Enterprise v1.1.0. The license is set -once for a datacenter and will automatically propagate to all nodes within the -datacenter over a period of time scaled between 1 and 20 minutes depending on the -number of nodes in the datacenter. There are two methods for licensing Consul -enterprise. +All Consul Enterprise agents must be licensed when they are started. Where that license comes from will depend +on which binary is in use, whether the agent is a server, client or snapshot agent and whether ACLs have been +enabled for the cluster. -### Included in the Enterprise Package +-> ** Consul Enterprise v1.10.0 removed temporary licensing.** In previous versions Consul Enterprise +agents could start without a license and then have a license applied to them later on via the CLI +or API. That functionality has been removed and replaced with the ability to load licenses from the +agent's configuration or environment. Also prior to v1.10.0 server agents would automatically propagate +the license between themselves. This no longer occurs and the license must be present on each server +when they are started. + +### Binaries with Built In Licenses If you are downloading Consul from Amazon S3, then the license is included in the binary and you do not need to take further action. This is the @@ -44,16 +49,41 @@ In the S3 bucket you will find three Enterprise zip packages. The packages with `+prem` in the name, are the binaries that include the license. The package with `+ent` in the name does not include the license. -### Applied after Bootstrapping +When using these binaries no further action is necessary to configure the license. + +### Binaries Without Built In Licenses + +For binaries that do not include built in licenses a license must be available at the time the agent starts. +For server agents this means that they must either have the [`license_path`](/docs/agent/opts#license_path) +configuration set or have a license configured in the servers environment with the `CONSUL_LICENSE` or +`CONSUL_LICENSE_PATH` environment variables. Both the configuration item and the `CONSUL_LICENSE_PATH` +environment variable point to a file containing the license whereas the `CONSUL_LICENSE` environment +variable should contain the license as the value. If multiple of these are set the order of precedence is: + +1. `CONSUL_LICENSE` environment variable +2. `CONSUL_LICENSE_PATH` environment variable +3. `license_path` configuration item. + +Both client agents and the snapshot agent may also be licensed in the very same manner. However to prevent +the need to configure the license on many client agents and snapshot agents those agents have the capability +to retrieve the license automatically under specific circumstances. + +#### Client Agent License Retrieval + +When a client agent starts without a license in its configuration or environment, it will try to retrieve the +license from the servers via RPCs. That RPC always requires a valid non-anonymous ACL token to authorize the +request but the token doesn't need any particular permissions. As the license is required before the client +actually joins the cluster, where to make those RPC requests to is inferred from the [`start_join`](/docs/agent/opts#start_join) +or [`retry_join`](/docs/agent/opts#retry_join) configurations. If those are both unset or no +[`agent` token](/docs/agent/opts#acl_tokens_agent) is set then the client agent will immediately shut itself down. +If all preliminary checks pass the client agent will attempt to reach out to any server on its RPC port to +request the license. These requests will be retried for up to 5 minutes and if it is unable to retrieve a +license within that time frame it will shut itself down. -If you are downloading the enterprise binary from the [releases.hashicorp.com](https://releases.hashicorp.com/consul/) or the `+ent` package from Amazon S3, you will need to apply -the license to the cluster, after completing the bootstrapping process. -You can set the license on any agent within the cluster and it will be -forwarded to the leading server via the RPC forwarding functionality. -Below are your two options for setting the license file. +#### Snapshot Agent License Retrieval -You can set the license via the -[API](/api/operator/license) or the [CLI](/commands/license). When -you first start Consul, a 30-minute temporary license is available to allow you -time to license the datacenter. You should set the license within ten minutes of -starting the first Consul process to allow time for the license to propagate. +The snapshot agent has similar functionality to the client agent for automatically retrieving the license. However, +instead of requiring a server agent to talk to, the snapshot agent can request the license from the server or +client agent it would use for all other operations. It still requires an ACL token to authorize the request. Also +like client agents, the snapshot agent will shut itself down after being unable to retrieve the license for 5 +minutes. \ No newline at end of file From aeaeec15e8ec133d3964e791f0394652eadd739b Mon Sep 17 00:00:00 2001 From: Matt Keeler Date: Thu, 3 Jun 2021 09:40:12 -0400 Subject: [PATCH 3/5] Add deprecation/removal notices regarding the APIs/CLI commands for licensing that are going away. Co-authored-by: Freddy --- website/content/api-docs/operator/license.mdx | 8 +++++++- website/content/commands/license.mdx | 15 +++++++++++++-- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/website/content/api-docs/operator/license.mdx b/website/content/api-docs/operator/license.mdx index 9ea06b6811ec..415491966e50 100644 --- a/website/content/api-docs/operator/license.mdx +++ b/website/content/api-docs/operator/license.mdx @@ -2,7 +2,7 @@ layout: api page_title: License - Operator - HTTP API description: |- - The /operator/license endpoints allow for setting and retrieving the Consul + The /operator/license endpoint allows for retrieving the Consul Enterprise License. --- @@ -76,6 +76,9 @@ $ curl \ ## Updating the Consul License +-> **Deprecated** This endpoint was removed in Consul v1.10.0 along with +the ability to manage the cluster's license via the API. + This endpoint updates the Consul license and returns some of the license contents as well as any warning messages regarding its validity. @@ -144,6 +147,9 @@ $ curl \ ## Resetting the Consul License +-> **Deprecated** This endpoint was removed in Consul v1.10.0 along with +the ability to manage the cluster's license via the API. + This endpoint resets the Consul license to the license included in the Enterprise binary. If the included license is not valid, the replace will fail. | Method | Path | Produces | diff --git a/website/content/commands/license.mdx b/website/content/commands/license.mdx index fe22a9198800..a9216cf101d7 100644 --- a/website/content/commands/license.mdx +++ b/website/content/commands/license.mdx @@ -2,7 +2,7 @@ layout: commands page_title: 'Commands: License' description: > - The license command provides datacenter-level management of the Consul + The license command provides a datacenter-level view of the Consul Enterprise license. --- @@ -12,7 +12,10 @@ Command: `consul license` -The `license` command provides datacenter-level management of the Consul Enterprise license. This was added in Consul 1.1.0. +The `license` command provides datacenter-level view of the Consul Enterprise license. This was added +in Consul 1.1.0 but Consul 1.10.0 removed the ability to set and reset the license using the CLI. +See the [licensing documentation](/docs/enterprise#licensing) for more information about +Consul Enterprise license management. If ACLs are enabled then a token with operator privileges may be required in order to use this command. Requests are forwarded internally to the leader @@ -56,6 +59,10 @@ Subcommands: ## put +-> **Deprecated** The ability to manage the cluster's license via the CLI +was removed in Consul 1.10. While the CLI command still exists it will +always return an error. This command will be fully removed in a future release. + This command sets the Consul Enterprise license. Usage: `consul license put [options] LICENSE` @@ -116,6 +123,10 @@ Licensed Features: ## reset +-> **Deprecated** The ability to manage the cluster's license via the CLI +was removed in Consul 1.10. While the CLI command still exists it will +always return an error. This command will be fully removed in a future release. + Resets license for the datacenter to the one builtin in Consul binary, if it is still valid. If the builtin license is invalid, the current one stays active. From 4222242f1cee0fcb20942316490c17ff25c93bbf Mon Sep 17 00:00:00 2001 From: Matt Keeler Date: Wed, 2 Jun 2021 14:44:21 -0400 Subject: [PATCH 4/5] Add licensing information to snapshot agent docs. --- website/content/commands/snapshot/agent.mdx | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/website/content/commands/snapshot/agent.mdx b/website/content/commands/snapshot/agent.mdx index 8edcd5eb5608..eab04e69a3dd 100644 --- a/website/content/commands/snapshot/agent.mdx +++ b/website/content/commands/snapshot/agent.mdx @@ -150,6 +150,7 @@ Usage: `consul snapshot agent [options]` "ca_path": "", "cert_file": "", "key_file": "", + "license_path": "", "tls_server_name": "", "log": { "level": "INFO", @@ -378,3 +379,20 @@ $ consul snapshot agent -interval=0 Please see the [HTTP API](/api/snapshot) documentation for more details about snapshot internals. + +## Licensing + +The snapshot agent requires a license when it starts before it will perform any other +actions. This can be provided using the `license_path` configuration item, the +`CONSUL_LICENSE_PATH` environment variable or the `CONSUL_LICENSE` environment variable. +The `license_path` configuration and `CONSUL_LICENSE_PATH` variable should point to +files that contain the license whereas the `CONSUL_LICENSE` variable value should be +the contents of the license itself. If a license is present in multiple ways the +then the order of precedence is as follows: + +1. `CONSUL_LICENSE` variable +2. `CONSUL_LICENSE_PATH` variable +3. `license_path` configuration. + +See the [licensing documentation](/docs/enterprise#licensing) for more information about +Consul Enterprise license management. \ No newline at end of file From ca423c80b9538ea0f9d3e48d2518640f438c9862 Mon Sep 17 00:00:00 2001 From: Matt Keeler Date: Wed, 2 Jun 2021 15:11:53 -0400 Subject: [PATCH 5/5] Add enterprise v1.10 specific upgrade notes. --- .../docs/upgrading/upgrade-specific.mdx | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/website/content/docs/upgrading/upgrade-specific.mdx b/website/content/docs/upgrading/upgrade-specific.mdx index 5e78de6af622..5f7cf6649dca 100644 --- a/website/content/docs/upgrading/upgrade-specific.mdx +++ b/website/content/docs/upgrading/upgrade-specific.mdx @@ -14,6 +14,38 @@ provided for their upgrades as a result of new features or changed behavior. This page is used to document those details separately from the standard upgrade flow. +## Consul 1.10.0 + +Consul Enterprise 1.10 has removed temporary licensing capabilities from the binaries +found on https://releases.hashicorp.com. Servers will no longer load a license previously +set through the CLI or API. Instead the license must be present in the server's configuration +or environment prior to starting. See the [licensing documentation](/docs/enterprise#licensing) +for more information about how to configure the license. Client agents previously retrieved their +license from the servers in the cluster within 30 minutes of starting and the snapshot agent +would similarly retrieve its license from the server or client agent it was configured to use. As +of Consul Enterprise 1.10 both the snapshot agent and client agent have gained the ability to +have a license loaded from a configuration file or from their environment the same way server +agents must have the license specified. Both agents can still perform automatic retrieval of their +license but with a few extra stipulations. First, license auto-retrieval now requires that ACLs +are on and that the client or snapshot agent is configured with a valid ACL token. Secondly, client +agents require that either the [`start_join`](/docs/agent/opts#start_join) or +[`retry_join`](/docs/agent/opts#retry_join) configurations are set and that they resolve to server +agents. If those stipulations are not met, attempting to start the client or snapshot agent will +result in it immediately shutting down. + +### Migration +Prior to upgrading Consul Enterprise to v1.10 you should ensure the license is set in all the right places. +In general following these steps should be all thats necessary to ensure a smooth upgrade. + +1. Retrieve the existing license from your existing cluster by running `consul license get -signed` +2. Ensure that the license is configured on all your servers by setting the one of the `license_path` + configuration item, the `CONSUL_LICENSE_PATH` environment variable or the `CONSUL_LICENSE` + environment variable. +3. If ACLs are not in use or if not all client agents are configured with the necessary `start_join` / + `retry_join` configurations pointing to servers, then repeat step 2 for all client agents. +4. If ACLs are not in use then repeat step 2 for all snapshot agents. +5. Now proceed with the [standard upgrade procedure](/docs/upgrading#standard-upgrades). + ## Consul 1.9.0 ### Changes to Raft Protocol Support